The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository on the vulnerable site.
History

Fri, 10 Jul 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rabilal
Rabilal wp Learn Manager
Wordpress
Wordpress wordpress
Vendors & Products Rabilal
Rabilal wp Learn Manager
Wordpress
Wordpress wordpress

Wed, 08 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 05:45:00 +0000

Type Values Removed Values Added
Description The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository on the vulnerable site.
Title WP Learn Manager <= 1.1.8 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation and Activation via jslearnmanager_ajax AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-07-08T05:34:09.230Z

Updated: 2026-07-08T17:10:10.951Z

Reserved: 2026-06-12T18:22:34.569Z

Link: CVE-2026-12153

cve-icon Vulnrichment

Updated: 2026-07-08T13:47:36.333Z

cve-icon NVD

No data.

cve-icon Redhat

No data.