Skip to main content

LearnPress Backup & Migration EUVDEUVD-2026-34946

| CVE-2026-7565 MEDIUM
Path Traversal (CWE-22)
2026-06-06 Wordfence GHSA-3j57-m2q5-hqgp
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 03:56 vuln.today
CVE Published
Jun 06, 2026 - 02:28 nvd
MEDIUM 4.9

DescriptionCVE.org

The LearnPress - Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the 'import-user-file' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

AnalysisAI

Directory traversal in the LearnPress - Backup & Migration Tool plugin for WordPress (all versions through 4.1.4) allows authenticated administrators to read arbitrary files on the underlying server by supplying path traversal sequences via the 'import-user-file' parameter. Exploitation exposes highly sensitive server-side content - including wp-config.php database credentials, private keys, or system files - despite requiring high-privilege access. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV. The CVSS score of 4.9 reflects the high privilege barrier (PR:H), but the C:H confidentiality impact makes successful exploitation consequential.

Technical ContextAI

The vulnerability resides in the LearnPress Import/Export plugin developed by ThimPress (CPE: cpe:2.3:a:thimpress:learnpress_-_backup_&_migration_tool:*:*:*:*:*:*:*:*), which provides backup and migration functionality for the LearnPress LMS platform on WordPress. The flaw is located in class-lp-import-user-data.php at lines 150 and 190, where the 'import-user-file' parameter value is used to construct a file path for reading without adequate sanitization or path canonicalization. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal) is the root cause: by embedding sequences such as '../' in the parameter, an attacker can escape the plugin's intended working directory and instruct the server to read files anywhere on the filesystem that the web server process can access. The CVSS vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N confirms network-reachable exploitation with no user interaction required, targeting confidentiality exclusively.

RemediationAI

An upstream fix has been committed to the plugin's WordPress SVN trunk at changeset 3546889 (https://plugins.trac.wordpress.org/changeset?old=3546889%40learnpress-import-export&new=3546889%40learnpress-import-export); however, a specific patched release version number is not confirmed in the available data - site owners should monitor the WordPress plugin repository for a published update and apply it immediately upon release. Until a tagged release is available, the most actionable compensating control is to audit and minimize the number of accounts holding administrator-level access on the WordPress installation, as exploitation is gated entirely on that privilege level. If the import-user-file functionality is not actively in use, disabling or deactivating the LearnPress Backup & Migration Tool plugin entirely eliminates the attack surface with no side effects on core LMS functionality. Web application firewall rules that detect and block directory traversal sequences (e.g., '../' patterns) in POST parameters to WordPress admin endpoints can serve as an additional layer of defense, though these can be bypassed by URL-encoding variations and should not substitute for patching.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-34946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy