CVE-2026-12153 — WP Learn Manager Plugin Authorization Bypass
The WP Learn Manager plugin for WordPress, in versions up to and including 1.1.8, is vulnerable to an authorization bypass (CVE-2026-12153) allowing unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository, potentially leading to full site compromise.
CVE-2026-12153 addresses a critical authorization bypass vulnerability affecting all versions of the WP Learn Manager plugin for WordPress, specifically up to and including 1.1.8. The flaw stems from the plugin's failure to adequately verify user authorization prior to executing certain actions. This critical oversight enables unauthenticated attackers to leverage vulnerable endpoints to install and activate arbitrary plugins directly from the WordPress.org repository on the compromised site. The ability to install and activate arbitrary plugins provides a clear path to achieving unauthenticated Remote Code Execution (RCE) or complete site takeover by installing a malicious plugin. This vulnerability poses a severe risk to WordPress sites utilizing the affected plugin, allowing attackers to gain control without requiring any prior authentication or credentials.
Attack Chain
- An unauthenticated attacker identifies a WordPress site running the vulnerable WP Learn Manager plugin (version 1.1.8 or earlier).
- The attacker crafts a malicious HTTP POST request targeting the
wp-admin/admin-ajax.phpendpoint, which handles AJAX requests for WordPress and plugins. - The crafted request includes parameters specifically designed to invoke plugin installation or activation actions, such as
action=install-pluginoraction=activate-plugin, exploiting the WP Learn Manager's missing authorization checks. - The attacker specifies a plugin name or slug from the official WordPress.org repository within the request, which could be a legitimate but vulnerable plugin, or one with known backdoors.
- Due to the authorization bypass in WP Learn Manager, the WordPress core or the plugin proceeds to process the request without verifying the attacker's administrative privileges.
- The WordPress site then downloads, installs, and activates the attacker-specified plugin from the WordPress.org repository.
- Upon activation, if the installed plugin contains malicious code (e.g., a web shell, backdoor, or configuration changes), the attacker gains persistent access or achieves unauthenticated Remote Code Execution (RCE) on the server.
- The attacker can then perform further malicious actions, such as data exfiltration, defacement, or embedding malware for visitor compromise.
Impact
The impact of successful exploitation of CVE-2026-12153 is severe, rated with a CVSS v3.1 base score of 9.8 (Critical). An unauthenticated attacker can achieve complete compromise of the affected WordPress site, potentially leading to unauthenticated Remote Code Execution (RCE). This could result in unauthorized access to sensitive data, website defacement, arbitrary code execution on the underlying server, and the ability to inject malware that could infect site visitors. Given the ease of exploitation and the lack of authentication required, affected organizations face a high risk of significant data breaches, operational disruption, and reputational damage if their sites are compromised.
Recommendation
- Immediately update the WP Learn Manager plugin to a patched version beyond 1.1.8 to remediate CVE-2026-12153.
- Deploy the provided Sigma rule to detect attempts at exploiting this authorization bypass on your web server logs.
- Monitor WordPress activity logs for unusual or unauthenticated plugin installations or activations that could indicate successful exploitation.
- Regularly review installed plugins and themes on all WordPress sites for legitimacy and remove any unknown or unauthorized components.
Detection coverage 1
Detects CVE-2026-12153 Exploitation — Unauthenticated WP Learn Manager Plugin Actions
highDetects exploitation attempts against CVE-2026-12153, where unauthenticated attackers attempt to install or activate WordPress plugins via the vulnerable WP Learn Manager plugin's AJAX endpoints.
Detection queries are available on the platform. Get full rules →