A critical authorization bypass in the WP Learn Manager WordPress plugin lets unauthenticated attackers install and activate arbitrary plugins, opening a direct path to full site compromise.
What Is It
CVE-2026-12153 is a critical (CVSS 9.8) authorization bypass affecting the WP Learn Manager plugin for WordPress. The plugin fails to properly verify that a user is authorized to perform a given action, a missing-authorization weakness classified as CWE-862. Because of this flaw, unauthenticated attackers can install and activate arbitrary plugins from the WordPress.org repository on a vulnerable site. The vulnerability is remotely exploitable over the network with low attack complexity, requires no privileges, and needs no user interaction (vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Why It Matters
The ability for an unauthenticated attacker to install and activate arbitrary plugins is effectively a route to full site takeover. The CVSS metrics rate confidentiality, integrity, and availability impact all as HIGH, reflecting the potential for complete compromise. With no authentication barrier and low complexity, exploitation is trivial for any attacker who can reach the site. There is no CISA KEV entry supplied for this CVE, so confirmed active exploitation is not documented in the available source material.
What's Vulnerable
The affected product is WP Learn Manager (vendor: rabilal), a WordPress plugin. All versions up to and including 1.1.8 are vulnerable. The issue stems from improperly protected AJAX handlers and model logic within the plugin.
Patch Status
The supplied source material does not include a fixed version or a CISA KEV required-action remediation directive. Administrators running WP Learn Manager 1.1.8 or earlier should treat the plugin as vulnerable and monitor the vendor and Wordfence advisory for an updated release; disabling or removing the plugin until a patched version is confirmed is a prudent interim measure.
Sources
- Wordfence Threat Intelligence; https://www.wordfence.com/threat-intel/vulnerabilities/id/8cbf5121-2511-4e21-a346-67fa1e34fc02?source=cve
- NVD, CVE-2026-12153, https://nvd.nist.gov/vuln/detail/CVE-2026-12153
- WordPress Plugin Source (learn-manager 1.1.8, ajax.php), https://plugins.trac.wordpress.org/browser/learn-manager/tags/1.1.8/includes/ajax.php#L15
- WordPress Plugin Source (learn-manager 1.1.8, model.php), https://plugins.trac.wordpress.org/browser/learn-manager/tags/1.1.8/modules/jslearnmanager/model.php#L879