eastbaycyber

CVE-2026-12153: Unauthenticated Plugin Installation in WP Learn Manager

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-07-08
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief

TL;DR - CVE-2026-12153 is a critical auth bypass in WP Learn Manager up to 1.1.8. - Unauthenticated attackers can install and activate arbitrary WordPress.org plugins. - Patch version is not confirmed; treat 1.1.8 and earlier as exposed and remove or disable if no fixed release exists.

Vulnerability at a Glance

Field Value
CVE ID CVE-2026-12153
CVSS 9.8 Critical
Attack vector Network
Privileges required None
Patch available Unknown from currently retrieved primary sources

CVE-2026-12153 affects the WP Learn Manager plugin for WordPress and is classified as an authorization bypass. According to the NVD description, the flaw exists in all versions up to and including 1.1.8 and allows unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository on a vulnerable site.

From an operations standpoint, this is much more serious than a routine plugin bug. Arbitrary plugin installation changes the code running on the site and can open multiple follow-on attack paths, including persistence, privilege escalation, data theft, and potential remote code execution depending on what plugin is installed and how it is abused afterward.

What Is This Vulnerability?

At its core, this is an authorization failure on a sensitive administrative action. The plugin appears to expose functionality that should be restricted to privileged WordPress users, but it does not properly verify that the requestor is authorized before performing the action. In practical terms, an internet-facing request can trigger plugin management logic without requiring an authenticated administrator session.

The NVD record explicitly describes the issue as the plugin “not properly verifying that a user is authorized to perform an action.” The referenced code locations point to includes/ajax.php and modules/jslearnmanager/model.php, which strongly suggests an AJAX-accessible workflow that reaches plugin installation or activation routines without a sufficient capability check.

Technical Notes

The exact vulnerable code could not be directly retrieved in this research context because WordPress Trac returned HTTP 403 for the referenced paths. Even so, the code references are still useful for defenders because they identify likely control points in the plugin:

  • includes/ajax.php
  • modules/jslearnmanager/model.php

For WordPress defenders, the likely anti-pattern to look for in code review is an AJAX action wired without a corresponding capability check such as current_user_can('install_plugins') or equivalent authorization enforcement before calling plugin installation APIs.

AnalystImpact · assess the risk

Who Is Affected?

The affected product is the WP Learn Manager plugin for WordPress, using the repository slug learn-manager. Based on the available data, the vulnerable range is all versions up to and including 1.1.8.

That means any WordPress site with WP Learn Manager 1.1.8 or earlier should be treated as potentially vulnerable unless independent vendor documentation proves otherwise. At the time of writing, a trustworthy primary-source fixed version number could not be confirmed from the retrieved references.

If you are responsible for a fleet of WordPress sites, do not limit your review to internet-facing production systems. This plugin could also be present on staging hosts, customer-specific instances, or old single-site deployments that escaped centralized inventory. In the absence of a confirmed fixed release, defenders should assume that every instance running learn-manager version 1.1.8 or below is exposed.

Technical Notes

You can quickly enumerate the installed version on a host with WP-CLI:

wp plugin list --format=table | grep learn-manager

Or inspect the plugin metadata directly:

grep -E '^(Version|Plugin Name):' wp-content/plugins/learn-manager/*.php

If you manage multiple systems, add learn-manager to your plugin inventory and compare each site against the known affected range: <= 1.1.8.

CVSS Score Breakdown

The CVSS base score is 9.8 (Critical). While the full vector was not returned in the provided source data, the score and vulnerability description are consistent with a profile like network exploitable, low attack complexity, no privileges required, and high impact.

That rating makes sense operationally. An unauthenticated attacker can remotely reach the vulnerable application, does not appear to need local access or prior compromise, and can alter the site’s installed software set. In a WordPress environment, that directly affects confidentiality, integrity, and availability because plugin installation can expose sensitive data, modify authentication or content handling, and destabilize or hijack the application.

A score this high should also shape prioritization. Even without confirmed exploitation in the wild, a bug that enables unauthenticated plugin installation deserves emergency review because it turns a web request into a software deployment action. For many organizations, that crosses the threshold from “application vulnerability” into “site takeover precursor.”

Technical Notes

Because the exact vector string was not available in the retrieved material, defenders should avoid citing a specific official vector unless they verify it from NVD or the CNA record. In the absence of the vector, assume a worst-case operational stance consistent with the 9.8 Critical rating:

  • remotely reachable
  • no authentication required
  • low complexity
  • broad downstream impact

Exploitation Status

At the time of writing, active exploitation in the wild is not confirmed from the sources reviewed. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, which means there is no KEV-based confirmation of exploitation at this time.

Also, a public proof of concept is not confirmed from the available sources used for this article. That said, lack of a confirmed PoC should not be treated as reassurance. The vulnerability description is specific enough that attackers may be able to recreate the attack path quickly, especially if the vulnerable AJAX handler and model methods are easy to inspect locally.

For defenders, the practical answer is: treat this as exploitable now, even if public reporting is still sparse. Unauthenticated access plus plugin installation is a highly attractive attack path for opportunistic WordPress scanning and targeted intrusion alike.

Technical Notes

Current status based on retrieved evidence:

  • PoC public: Not confirmed
  • Active exploitation: Not confirmed
  • CISA KEV listed: No

If your exposure window is large or your site is high value, assume attackers may attempt to install a secondary plugin for persistence or follow-on exploitation even before broad public exploitation reporting appears.

ResponderRunbook · act now

How to Detect It

Detection should focus on three areas: suspicious requests to WordPress AJAX endpoints, unexpected plugin installation or activation events, and filesystem changes under the plugin directory. Because the referenced vulnerable path includes includes/ajax.php, defenders should pay close attention to requests against wp-admin/admin-ajax.php that occur without authenticated admin activity.

The most useful detection logic will correlate web requests with plugin lifecycle changes. If a site suddenly downloads and enables a plugin from WordPress.org without a corresponding maintenance window or administrator action, treat that as suspicious. On smaller sites, this may show up first as a new directory under wp-content/plugins/ or an unfamiliar plugin activation entry.

Technical Notes

Example web log patterns to review:

POST /wp-admin/admin-ajax.php
GET /wp-admin/admin-ajax.php?action=...

Hunt for bursts of unauthenticated AJAX requests followed by plugin changes. On Apache or Nginx logs, start with requests to the AJAX endpoint from external IPs that do not also show a recent /wp-login.php success.

Example grep-based hunting:

grep 'POST /wp-admin/admin-ajax.php' /var/log/nginx/access.log
grep 'POST /wp-admin/admin-ajax.php' /var/log/apache2/access.log

Example Sigma-style logic concept:

title: Suspicious WordPress AJAX Activity Followed by Plugin Changes
logsource:
  category: webserver
detection:
  selection:
    cs-uri-stem: "/wp-admin/admin-ajax.php"
    cs-method: "POST"
  condition: selection
fields:
  - c-ip
  - cs-uri-query
  - user-agent
level: medium

WP-CLI can help identify newly installed or recently activated plugins:

wp plugin list --status=active --format=table
find wp-content/plugins -maxdepth 1 -type d -printf '%TY-%Tm-%Td %TT %p\n' | sort

Also inspect WordPress and PHP logs for unexpected administrative changes around the same time. If available, compare against file integrity monitoring or EDR telemetry for new directories under wp-content/plugins/.

Mitigation and Patching

The safest confirmed statement is that all versions up to and including 1.1.8 are affected. A specific fixed version number is not confirmed from the currently retrieved primary sources. That means defenders should not guess at the upgrade target. Instead, verify the latest plugin changelog or vendor release note before treating any newer version as fixed.

If a vendor-confirmed patched release exists, upgrade directly to that version or later. If you cannot confirm a fixed release, the recommended defensive action is to disable and remove WP Learn Manager until a verified patch is available. Given the impact, this is one of the cases where temporary feature loss is usually preferable to leaving the site exposed.

In parallel, review recently installed plugins on any site that had WP Learn Manager present. Because the vulnerability enables plugin installation and activation, remediation is not complete until you confirm no unauthorized plugins were added and no persistence mechanism remains active.

Technical Notes

If a fixed release is available in your environment’s plugin source, update with WP-CLI:

wp plugin update learn-manager

If no fixed version is confirmed, disable and remove the plugin:

wp plugin deactivate learn-manager
wp plugin delete learn-manager

If you must keep the site online temporarily before removal, consider compensating controls that reduce exposure to the AJAX endpoint, understanding that these are workarounds and may break site functionality:

Nginx example:

location = /wp-admin/admin-ajax.php {
    allow 203.0.113.10;
    deny all;
    include fastcgi_params;
    fastcgi_pass php-fpm;
}

Apache example:

<Files "admin-ajax.php">
    Require ip 203.0.113.10
</Files>

These controls are blunt and may disrupt legitimate front-end features that depend on AJAX. Use them only as short-term containment while you patch, disable, or remove the vulnerable plugin. After mitigation, audit active plugins:

wp plugin list --format=table

And review for unauthorized additions:

ls -la wp-content/plugins/

References

The primary source for this CVE is the NVD record, which states that WP Learn Manager versions up to and including 1.1.8 are vulnerable to authorization bypass allowing unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository.

Additional context comes from the code paths referenced in the CVE entry, which point to includes/ajax.php and modules/jslearnmanager/model.php in the WordPress plugin repository structure. Although direct retrieval of those Trac pages was not available in this research environment, the paths still support the assessment that the issue is tied to AJAX-exposed logic that reaches plugin management functions.

Technical Notes

Primary references:

  • NVD CVE entry for CVE-2026-12153
  • WordPress plugin Trac references:
  • https://plugins.trac.wordpress.org/browser/learn-manager/tags/1.1.8/includes/ajax.php#L15
  • https://plugins.trac.wordpress.org/browser/learn-manager/tags/1.1.8/includes/ajax.php#L8
  • https://plugins.trac.wordpress.org/browser/learn-manager/tags/1.1.8/modules/jslearnmanager/model.php#L879
  • https://plugins.trac.wordpress.org/browser/learn-manager/tags/1.1.8/modules/jslearnmanager/model.php#L920
  • Wordfence reference listed by NVD:
  • https://www.wordfence.com/threat-intel/vulnerabilities/id/8cbf5121-2511-4e21-a346-67fa1e34fc02?source=cve

For more information on related vulnerabilities, you can also check out our articles on CVE-2026-44050 and Cloud Security Basics.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-07-08

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.