Executive Summary
A critical unauthenticated authorization bypass vulnerability has been disclosed in the WP Learn Manager plugin for WordPress, tracked as CVE-2026-12153 with a CVSS score of 9.8. The vulnerability allows unauthenticated attackers to install and activate arbitrary plugins on the WordPress installation — without possessing any credentials or privileges.
This class of vulnerability is among the most severe in the WordPress ecosystem: by installing a malicious or backdoored plugin, an attacker can achieve full remote code execution and complete site compromise.
CVSS Score: 9.8 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-12153 |
| CVSS Score | 9.8 (Critical) |
| Type | Authorization Bypass |
| Attack Vector | Network |
| Authentication | None required |
| Privileges Required | None |
| User Interaction | None |
| Affected Plugin | WP Learn Manager |
| Affected Versions | All versions <= 1.1.8 |
Root Cause
The WP Learn Manager plugin exposes a plugin installation/activation function without properly verifying that the requesting user is authorized to perform administrative actions. The plugin fails to implement standard WordPress capability checks (such as current_user_can('install_plugins')), allowing any unauthenticated HTTP request to trigger plugin installation.
Affected Versions and Patches
| Component | Affected Versions | Status |
|---|---|---|
| WP Learn Manager (WordPress) | All versions <= 1.1.8 | Update or remove immediately |
Administrators should update to a version beyond 1.1.8 if a patch has been released, or remove the plugin entirely until one is available.
Impact
Direct Impact
Unauthenticated attackers can:
- Install any plugin from the WordPress plugin repository — including known-malicious or backdoored forks
- Activate installed plugins immediately, triggering their execution on the server
- Achieve Remote Code Execution (RCE) by installing a plugin that executes attacker-supplied PHP code
Full Site Compromise Path
1. Install a malicious plugin containing a PHP web shell
2. Activate the plugin via the same bypass
3. Access the web shell to execute arbitrary OS commands
4. Exfiltrate database credentials, user data, and files
5. Establish persistent backdoor accessThis attack requires zero authentication and can be automated in seconds.
Attack Scenario
1. Attacker scans for WordPress sites running WP Learn Manager <= 1.1.8
2. Sends a crafted unauthenticated POST request to the plugin installation endpoint
3. Specifies a backdoored or malicious plugin as the installation target
4. Plugin is installed and activated — PHP code runs immediately
5. Attacker gains full RCE and database access
6. Deploys persistent backdoor for continued accessRemediation
Immediate Steps
- Update WP Learn Manager to the latest version immediately
- If no patch is available: Deactivate and delete the plugin
- Audit installed plugins: Check the plugin list for any unfamiliar or recently installed plugins — evidence of exploitation
- Review access logs: Look for POST requests to plugin-management endpoints from unauthenticated sources
- Scan for web shells: Use a file integrity scanner or security plugin to detect injected PHP files
WordPress Hardening
- Ensure all plugin capability checks use
current_user_can()for any administrative action - Implement a WAF rule blocking unauthenticated requests to plugin management endpoints
- Restrict
wp-adminaccess by IP where possible - Use two-factor authentication for all administrator accounts
- Monitor plugin installations via WordPress activity logs
Detection
Signs of Exploitation
| Indicator | Description |
|---|---|
| Unfamiliar plugins appearing in the Plugins list | Attacker-installed plugins |
| Unauthenticated POST requests to plugin management endpoints | Active exploitation attempt |
New PHP files in wp-content/plugins/ from unknown sources | Web shell or backdoor installation |
| Unexpected outbound connections from the web server | C2 communication from malicious plugin |
| Admin-level actions in logs with no corresponding login | Exploited session |
Why Authorization Bypass at This Privilege Level Is Catastrophic
Installing and activating plugins is an administrator-only operation in WordPress for good reason — plugins execute as PHP code with full access to the WordPress database, filesystem, and server environment. An authorization bypass here is functionally equivalent to handing an attacker the server root.
Unlike many vulnerabilities that require chaining with other flaws, this one provides a direct, single-step path to full compromise with no authentication required.
Key Takeaways
- CVSS 9.8 Critical — Unauthenticated plugin installation leads directly to RCE
- All WP Learn Manager versions up to 1.1.8 are vulnerable — remove or update immediately
- Audit your plugin list now if WP Learn Manager was ever active on your site
- WordPress capability checks are not optional — any plugin omitting
current_user_can()for admin functions is a critical flaw - Mass scanning is likely — this class of vulnerability is actively targeted by automated exploit frameworks