SYS::ONLINE
Wasteland.
Briefs1132
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-12153 2026-07-08

CVE-2026-12153: Unauthenticated Plugin Installation Flaw in WP Learn Manager

"A critical authorization bypass in the WP Learn Manager WordPress plugin lets unauthenticated attackers install and activate arbitrary plugins, opening a direct path to full site compromise."

A critical authorization bypass in the WP Learn Manager WordPress plugin lets unauthenticated attackers install and activate arbitrary plugins, opening a direct path to full site compromise.

What Is It

CVE-2026-12153 is a critical (CVSS 9.8) authorization bypass affecting the WP Learn Manager plugin for WordPress. The plugin fails to properly verify that a user is authorized to perform a given action, a missing-authorization weakness classified as CWE-862. Because of this flaw, unauthenticated attackers can install and activate arbitrary plugins from the WordPress.org repository on a vulnerable site. The vulnerability is remotely exploitable over the network with low attack complexity, requires no privileges, and needs no user interaction (vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Why It Matters

The ability for an unauthenticated attacker to install and activate arbitrary plugins is effectively a route to full site takeover. The CVSS metrics rate confidentiality, integrity, and availability impact all as HIGH, reflecting the potential for complete compromise. With no authentication barrier and low complexity, exploitation is trivial for any attacker who can reach the site. There is no CISA KEV entry supplied for this CVE, so confirmed active exploitation is not documented in the available source material.

What's Vulnerable

The affected product is WP Learn Manager (vendor: rabilal), a WordPress plugin. All versions up to and including 1.1.8 are vulnerable. The issue stems from improperly protected AJAX handlers and model logic within the plugin.

Patch Status

The supplied source material does not include a fixed version or a CISA KEV required-action remediation directive. Administrators running WP Learn Manager 1.1.8 or earlier should treat the plugin as vulnerable and monitor the vendor and Wordfence advisory for an updated release; disabling or removing the plugin until a patched version is confirmed is a prudent interim measure.

Sources