Home / Vulnerability Intelligence / CVE-2026-2446

CVE-2026-2446 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 9, 2026

PowerPack for LearnDash - Broken Access Control

Published: March 6, 2026Updated: March 9, 2026Remote Exploitable

Overview

PowerPack for LearnDash WordPress plugin < 1.3.0 contains a broken access control caused by missing authorization and CSRF checks in an AJAX action, letting unauthenticated attackers update arbitrary options and create admin users.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 7.4%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can modify WordPress options and create admin users, leading to full site takeover.

Mitigation

Update to version 1.3.0 or later.

References

https://wpscan.com/vulnerability/cbc95cea-e5d4-4874-add6-c8c728b683b7/

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🔴 CVE-2026-2446 - Critical (9.8) The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2446/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-2446
Severity: Critical
CVSS Score: 9.8
Type: broken_access_control
Status: unconfirmed
EPSS: 7.4%
Social Posts: 1

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

7.4%Probability of exploitation in the next 30 days