Critical severity9.8NVD Advisory· Published Mar 6, 2026· Updated Apr 15, 2026
CVE-2026-2446
CVE-2026-2446
Description
The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <1.3.0
Patches
Vulnerability mechanics
References
1News mentions
1- ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and MoreThe Hacker News · Jun 22, 2026