CVE-2026-2446
Published: 06 March 2026
Summary
CVE-2026-2446 is a critical-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2026-2446, published on 2026-03-06, affects the PowerPack for LearnDash WordPress plugin in versions before 1.3.0. The vulnerability arises from missing authorization and CSRF checks in an AJAX action, classified under CWE-862 (Missing Authorization). It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to high confidentiality, integrity, and availability impacts.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed AJAX endpoint, they can update arbitrary WordPress options, such as default_role, and create arbitrary admin users, enabling full administrative control over the affected site.
The WPScan advisory at https://wpscan.com/vulnerability/cbc95cea-e5d4-4874-add6-c8c728b683b7/ details the issue, with mitigation achieved by updating the PowerPack for LearnDash plugin to version 1.3.0 or later.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10002
Vulnerability details
The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress plugin AJAX endpoint (T1190) allows updating arbitrary options and creating arbitrary admin users (T1136.001), granting full site control.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly preventing unauthenticated exploitation of the AJAX action lacking authorization checks to update WordPress options and create admin users.
Mandates identification and authentication or equivalent protections for publicly accessible interfaces, blocking remote unauthenticated access to the vulnerable plugin AJAX endpoint.
Protects communications session authenticity to mitigate missing CSRF checks that could allow forged requests to the AJAX action even if basic access controls are present.