Cyber Resilience

CVE-2026-2446

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2446 is a critical-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2026-2446, published on 2026-03-06, affects the PowerPack for LearnDash WordPress plugin in versions before 1.3.0. The vulnerability arises from missing authorization and CSRF checks in an AJAX action, classified under CWE-862 (Missing Authorization). It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to high confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed AJAX endpoint, they can update arbitrary WordPress options, such as default_role, and create arbitrary admin users, enabling full administrative control over the affected site.

The WPScan advisory at https://wpscan.com/vulnerability/cbc95cea-e5d4-4874-add6-c8c728b683b7/ details the issue, with mitigation achieved by updating the PowerPack for LearnDash plugin to version 1.3.0 or later.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin AJAX endpoint (T1190) allows updating arbitrary options and creating arbitrary admin users (T1136.001), granting full site control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-13342Shared CWE-862
CVE-2023-53923Shared CWE-862
CVE-2024-12296Shared CWE-862
CVE-2025-5483Shared CWE-862
CVE-2025-8059Shared CWE-862
CVE-2026-2992Shared CWE-862
CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthenticated exploitation of the AJAX action lacking authorization checks to update WordPress options and create admin users.

prevent

Mandates identification and authentication or equivalent protections for publicly accessible interfaces, blocking remote unauthenticated access to the vulnerable plugin AJAX endpoint.

prevent

Protects communications session authenticity to mitigate missing CSRF checks that could allow forged requests to the AJAX action even if basic access controls are present.

References