CVE-2026-1787 in LearnPress Export Import Plugin
Summary
by MITRE • 02/21/2026
The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/22/2026
The vulnerability identified as CVE-2026-1787 affects the LearnPress Export Import WordPress extension, specifically targeting versions up to and including 4.1.0. This security flaw represents a critical authorization bypass issue that enables unauthenticated attackers to perform unauthorized data deletion operations within WordPress environments. The vulnerability manifests through the absence of proper capability checks within the 'delete_migrated_data' function, which is designed to handle cleanup operations for courses that have been migrated from the Tutor LMS plugin. The flaw requires the presence of Tutor LMS plugin for exploitation to occur, indicating a dependency relationship between the two plugins that creates an attack surface when both are installed.
The technical implementation of this vulnerability stems from a fundamental missing access control mechanism within the LearnPress plugin's export import functionality. When the 'delete_migrated_data' function executes without verifying user permissions or capabilities, it allows any visitor to the WordPress site to trigger data deletion operations. This represents a classic authorization flaw that aligns with CWE-285, which specifically addresses insufficient authorization issues in software systems. The vulnerability essentially creates a backdoor through which malicious actors can remove course content that has been migrated from Tutor LMS, potentially resulting in significant data loss for administrators who rely on these migrated courses for their learning management system operations.
From an operational perspective, the impact of this vulnerability extends beyond simple data deletion to encompass potential business disruption and loss of educational content. Organizations utilizing LearnPress in conjunction with Tutor LMS for their training programs face the risk of unauthorized deletion of migrated course materials, which could contain valuable curriculum content, assessments, and student progress tracking data. The unauthenticated nature of the attack means that no prior credentials or access privileges are required to exploit the vulnerability, making it particularly dangerous in public-facing WordPress environments. Attackers could potentially target multiple course instances simultaneously, leading to cascading data loss that could severely impact learning management operations and require extensive recovery procedures.
The exploitation of this vulnerability requires minimal technical skill and can be accomplished through standard web application attack techniques, making it accessible to a broad range of threat actors. Security practitioners should note that this vulnerability directly maps to ATT&CK technique T1485, which covers data destruction and data manipulation through unauthorized access to system resources. Organizations should implement immediate mitigations including plugin updates to versions that address the capability check deficiency, along with network-level restrictions that limit access to the affected WordPress endpoints. Additionally, administrators should consider implementing web application firewalls and monitoring for unusual deletion patterns in their learning management systems, as these activities could indicate exploitation attempts. The vulnerability underscores the importance of proper capability verification in WordPress plugins, particularly those handling data migration and import operations that involve multiple plugins within the same ecosystem.