CVE-2026-2446CRITICAL 9.8EPSS p21.8%

CVE-2026-2446CVE-2026-2446

Description

The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.30% probability of exploitation · percentile 21.8% · 2026-06-19T12:03:05Z
Published2026-03-06
Last modified2026-04-15

Underlying weaknesses· 1

CWE-862

References

  1. https://wpscan.com/vulnerability/cbc95cea-e5d4-4874-add6-c8c728b683b7/

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-2563
CVE
CVE-2025-4474
CVE
CVE-2026-2418
CVE
CVE-2025-2266
CVE
CVE-2025-4104
CVE
CVE-2025-2594
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.