CVE-2026-2446
Authorization Bypass and CSRF in PowerPack for LearnDash Plugin
Publication date: 2026-03-06
Last updated on: 2026-03-06
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| learndash | powerpack | to 1.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2446 affects the PowerPack for LearnDash WordPress plugin versions prior to 1.3.0. The vulnerability exists because the plugin does not implement proper authorization and CSRF (Cross-Site Request Forgery) checks in an AJAX action called learndash_save_class_data_ajax.
This flaw allows unauthenticated users to send specially crafted requests to the WordPress AJAX handler, enabling them to update arbitrary WordPress options such as default_role. By exploiting this, attackers can create arbitrary admin users without needing to authenticate.
How can this vulnerability impact me? :
The vulnerability can have severe impacts including unauthorized privilege escalation. Attackers can create admin users on your WordPress site without authentication, giving them full control over the site.
They can also modify critical WordPress options such as the default user role, potentially allowing further unauthorized registrations and access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the WordPress AJAX handler endpoint `wp-admin/admin-ajax.php` that include the parameter `action=learndash_save_class_data_ajax`.'}, {'type': 'paragraph', 'content': 'Specifically, look for requests that attempt to modify the `class_name` parameter to `users_can_register` or other critical WordPress options via the `formData` parameter.'}, {'type': 'paragraph', 'content': 'A sample command to detect such attempts using command-line tools like curl or network monitoring tools could be:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious POST requests: `grep 'action=learndash_save_class_data_ajax' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Using tcpdump or Wireshark to filter HTTP POST requests to `admin-ajax.php` containing the vulnerable action parameter.'}, {'type': 'list_item', 'content': "Using curl to test the vulnerability (for detection purposes only):\n`curl -X POST https://example.com/wp-admin/admin-ajax.php -d 'action=learndash_save_class_data_ajax&class_name=users_can_register&formData=1'`"}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the PowerPack for LearnDash WordPress plugin to version 1.3.0 or later, where this vulnerability has been fixed.
Until the update can be applied, restrict access to the `wp-admin/admin-ajax.php` endpoint or implement web application firewall (WAF) rules to block POST requests containing the parameter `action=learndash_save_class_data_ajax`.
Additionally, review and monitor WordPress user roles and options for unauthorized changes, especially the `default_role` setting and the presence of unexpected admin users.