Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1810+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-12153: WP Learn Manager Plugin — Unauthenticated Authorization Bypass Allows Plugin Installation
CVE-2026-12153: WP Learn Manager Plugin — Unauthenticated Authorization Bypass Allows Plugin Installation

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-12153

CVE-2026-12153: WP Learn Manager Plugin — Unauthenticated Authorization Bypass Allows Plugin Installation

A critical CVSS 9.8 authorization bypass in the WP Learn Manager WordPress plugin allows unauthenticated attackers to install and activate arbitrary plugins — effectively granting full control of the WordPress site without credentials.

Dylan H.

Security Team

July 8, 2026
5 min read

Affected Products

  • WP Learn Manager for WordPress <= 1.1.8

Executive Summary

A critical unauthenticated authorization bypass vulnerability has been disclosed in the WP Learn Manager plugin for WordPress, tracked as CVE-2026-12153 with a CVSS score of 9.8. The vulnerability allows unauthenticated attackers to install and activate arbitrary plugins on the WordPress installation — without possessing any credentials or privileges.

This class of vulnerability is among the most severe in the WordPress ecosystem: by installing a malicious or backdoored plugin, an attacker can achieve full remote code execution and complete site compromise.

CVSS Score: 9.8 (Critical)


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-12153
CVSS Score9.8 (Critical)
TypeAuthorization Bypass
Attack VectorNetwork
AuthenticationNone required
Privileges RequiredNone
User InteractionNone
Affected PluginWP Learn Manager
Affected VersionsAll versions <= 1.1.8

Root Cause

The WP Learn Manager plugin exposes a plugin installation/activation function without properly verifying that the requesting user is authorized to perform administrative actions. The plugin fails to implement standard WordPress capability checks (such as current_user_can('install_plugins')), allowing any unauthenticated HTTP request to trigger plugin installation.


Affected Versions and Patches

ComponentAffected VersionsStatus
WP Learn Manager (WordPress)All versions <= 1.1.8Update or remove immediately

Administrators should update to a version beyond 1.1.8 if a patch has been released, or remove the plugin entirely until one is available.


Impact

Direct Impact

Unauthenticated attackers can:

  • Install any plugin from the WordPress plugin repository — including known-malicious or backdoored forks
  • Activate installed plugins immediately, triggering their execution on the server
  • Achieve Remote Code Execution (RCE) by installing a plugin that executes attacker-supplied PHP code

Full Site Compromise Path

1. Install a malicious plugin containing a PHP web shell
2. Activate the plugin via the same bypass
3. Access the web shell to execute arbitrary OS commands
4. Exfiltrate database credentials, user data, and files
5. Establish persistent backdoor access

This attack requires zero authentication and can be automated in seconds.


Attack Scenario

1. Attacker scans for WordPress sites running WP Learn Manager <= 1.1.8
2. Sends a crafted unauthenticated POST request to the plugin installation endpoint
3. Specifies a backdoored or malicious plugin as the installation target
4. Plugin is installed and activated — PHP code runs immediately
5. Attacker gains full RCE and database access
6. Deploys persistent backdoor for continued access

Remediation

Immediate Steps

  1. Update WP Learn Manager to the latest version immediately
  2. If no patch is available: Deactivate and delete the plugin
  3. Audit installed plugins: Check the plugin list for any unfamiliar or recently installed plugins — evidence of exploitation
  4. Review access logs: Look for POST requests to plugin-management endpoints from unauthenticated sources
  5. Scan for web shells: Use a file integrity scanner or security plugin to detect injected PHP files

WordPress Hardening

  • Ensure all plugin capability checks use current_user_can() for any administrative action
  • Implement a WAF rule blocking unauthenticated requests to plugin management endpoints
  • Restrict wp-admin access by IP where possible
  • Use two-factor authentication for all administrator accounts
  • Monitor plugin installations via WordPress activity logs

Detection

Signs of Exploitation

IndicatorDescription
Unfamiliar plugins appearing in the Plugins listAttacker-installed plugins
Unauthenticated POST requests to plugin management endpointsActive exploitation attempt
New PHP files in wp-content/plugins/ from unknown sourcesWeb shell or backdoor installation
Unexpected outbound connections from the web serverC2 communication from malicious plugin
Admin-level actions in logs with no corresponding loginExploited session

Why Authorization Bypass at This Privilege Level Is Catastrophic

Installing and activating plugins is an administrator-only operation in WordPress for good reason — plugins execute as PHP code with full access to the WordPress database, filesystem, and server environment. An authorization bypass here is functionally equivalent to handing an attacker the server root.

Unlike many vulnerabilities that require chaining with other flaws, this one provides a direct, single-step path to full compromise with no authentication required.


Key Takeaways

  1. CVSS 9.8 Critical — Unauthenticated plugin installation leads directly to RCE
  2. All WP Learn Manager versions up to 1.1.8 are vulnerable — remove or update immediately
  3. Audit your plugin list now if WP Learn Manager was ever active on your site
  4. WordPress capability checks are not optional — any plugin omitting current_user_can() for admin functions is a critical flaw
  5. Mass scanning is likely — this class of vulnerability is actively targeted by automated exploit frameworks

References

  • NVD — CVE-2026-12153
  • WordPress Plugin Repository — WP Learn Manager
  • WordPress Codex — Roles and Capabilities
  • OWASP — Broken Access Control
#CVE#WordPress#Authorization Bypass#Plugin Installation#Unauthenticated#NVD

Related Articles

CVE-2026-14487: WordPress Simple Coherent Form Plugin — Critical Unauthenticated File Deletion

A critical CVSS 9.1 vulnerability in the Simple Coherent Form WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution or complete site takedown.

4 min read

CVE-2026-4119: WordPress Create DB Tables Plugin

A critical CVSS 9.1 authorization bypass in the WordPress Create DB Tables plugin (all versions up to 1.2.1) allows unauthenticated users to create or...

3 min read

CVE-2026-9701: WordPress Eventer Plugin — Insecure Password Reset Enables Account Takeover

A critical CVSS 9.8 vulnerability in the Eventer WordPress plugin exposes plaintext password reset keys in user meta, allowing unauthenticated attackers to take over any user account — including administrator accounts.

4 min read
Back to all Security Alerts