Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
LearnDash PowerPack Plugin Allows Unauthenticated User Actions
CVE-2026-2446
Summary
An outdated version of the LearnDash PowerPack plugin for WordPress can be exploited by unauthenticated users to make unauthorized changes to the website, including setting default user roles and creating new administrator accounts. This poses a significant risk to the security and integrity of the website. To prevent this, update the PowerPack plugin to version 1.3.0 or later.
Original title
The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such a...
Original description
The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users
nvd CVSS3.1
9.8
Vulnerability type
CWE-862
Missing Authorization
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026