Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The LearnPress - Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the 'import-user-file' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
AnalysisAI
Directory traversal in the LearnPress - Backup & Migration Tool plugin for WordPress (all versions through 4.1.4) allows authenticated administrators to read arbitrary files on the underlying server by supplying path traversal sequences via the 'import-user-file' parameter. Exploitation exposes highly sensitive server-side content - including wp-config.php database credentials, private keys, or system files - despite requiring high-privilege access. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV. The CVSS score of 4.9 reflects the high privilege barrier (PR:H), but the C:H confidentiality impact makes successful exploitation consequential.
Technical ContextAI
The vulnerability resides in the LearnPress Import/Export plugin developed by ThimPress (CPE: cpe:2.3:a:thimpress:learnpress_-_backup_&_migration_tool:*:*:*:*:*:*:*:*), which provides backup and migration functionality for the LearnPress LMS platform on WordPress. The flaw is located in class-lp-import-user-data.php at lines 150 and 190, where the 'import-user-file' parameter value is used to construct a file path for reading without adequate sanitization or path canonicalization. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal) is the root cause: by embedding sequences such as '../' in the parameter, an attacker can escape the plugin's intended working directory and instruct the server to read files anywhere on the filesystem that the web server process can access. The CVSS vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N confirms network-reachable exploitation with no user interaction required, targeting confidentiality exclusively.
RemediationAI
An upstream fix has been committed to the plugin's WordPress SVN trunk at changeset 3546889 (https://plugins.trac.wordpress.org/changeset?old=3546889%40learnpress-import-export&new=3546889%40learnpress-import-export); however, a specific patched release version number is not confirmed in the available data - site owners should monitor the WordPress plugin repository for a published update and apply it immediately upon release. Until a tagged release is available, the most actionable compensating control is to audit and minimize the number of accounts holding administrator-level access on the WordPress installation, as exploitation is gated entirely on that privilege level. If the import-user-file functionality is not actively in use, disabling or deactivating the LearnPress Backup & Migration Tool plugin entirely eliminates the attack surface with no side effects on core LMS functionality. Web application firewall rules that detect and block directory traversal sequences (e.g., '../' patterns) in POST parameters to WordPress admin endpoints can serve as an additional layer of defense, though these can be bypassed by URL-encoding variations and should not substitute for patching.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34946
GHSA-3j57-m2q5-hqgp