{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wp-learn-manager--1.1.8/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-12153"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WP Learn Manager \u003c= 1.1.8"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","authorization-bypass","cve","web-application","critical-vulnerability"],"_cs_type":"advisory","_cs_vendors":["rabilal"],"content_html":"\u003cp\u003eCVE-2026-12153 addresses a critical authorization bypass vulnerability affecting all versions of the WP Learn Manager plugin for WordPress, specifically up to and including 1.1.8. The flaw stems from the plugin's failure to adequately verify user authorization prior to executing certain actions. This critical oversight enables unauthenticated attackers to leverage vulnerable endpoints to install and activate arbitrary plugins directly from the WordPress.org repository on the compromised site. The ability to install and activate arbitrary plugins provides a clear path to achieving unauthenticated Remote Code Execution (RCE) or complete site takeover by installing a malicious plugin. This vulnerability poses a severe risk to WordPress sites utilizing the affected plugin, allowing attackers to gain control without requiring any prior authentication or credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running the vulnerable WP Learn Manager plugin (version 1.1.8 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint, which handles AJAX requests for WordPress and plugins.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes parameters specifically designed to invoke plugin installation or activation actions, such as \u003ccode\u003eaction=install-plugin\u003c/code\u003e or \u003ccode\u003eaction=activate-plugin\u003c/code\u003e, exploiting the WP Learn Manager's missing authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies a plugin name or slug from the official WordPress.org repository within the request, which could be a legitimate but vulnerable plugin, or one with known backdoors.\u003c/li\u003e\n\u003cli\u003eDue to the authorization bypass in WP Learn Manager, the WordPress core or the plugin proceeds to process the request without verifying the attacker's administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe WordPress site then downloads, installs, and activates the attacker-specified plugin from the WordPress.org repository.\u003c/li\u003e\n\u003cli\u003eUpon activation, if the installed plugin contains malicious code (e.g., a web shell, backdoor, or configuration changes), the attacker gains persistent access or achieves unauthenticated Remote Code Execution (RCE) on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform further malicious actions, such as data exfiltration, defacement, or embedding malware for visitor compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of successful exploitation of CVE-2026-12153 is severe, rated with a CVSS v3.1 base score of 9.8 (Critical). An unauthenticated attacker can achieve complete compromise of the affected WordPress site, potentially leading to unauthenticated Remote Code Execution (RCE). This could result in unauthorized access to sensitive data, website defacement, arbitrary code execution on the underlying server, and the ability to inject malware that could infect site visitors. Given the ease of exploitation and the lack of authentication required, affected organizations face a high risk of significant data breaches, operational disruption, and reputational damage if their sites are compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the WP Learn Manager plugin to a patched version beyond 1.1.8 to remediate CVE-2026-12153.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts at exploiting this authorization bypass on your web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress activity logs for unusual or unauthenticated plugin installations or activations that could indicate successful exploitation.\u003c/li\u003e\n\u003cli\u003eRegularly review installed plugins and themes on all WordPress sites for legitimacy and remove any unknown or unauthorized components.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T06:21:28Z","date_published":"2026-07-08T06:21:28Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wp-learn-manager-auth-bypass/","summary":"The WP Learn Manager plugin for WordPress, in versions up to and including 1.1.8, is vulnerable to an authorization bypass (CVE-2026-12153) allowing unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository, potentially leading to full site compromise.","title":"CVE-2026-12153 — WP Learn Manager Plugin Authorization Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-wp-learn-manager-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - WP Learn Manager \u003c= 1.1.8","version":"https://jsonfeed.org/version/1.1"}