VYPR
Critical severity9.8NVD Advisory· Published Mar 6, 2026· Updated Apr 15, 2026

CVE-2026-2446

CVE-2026-2446

Description

The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

1

News mentions

1