Description
The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.
Published: 2026-02-21
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of courses migrated from Tutor LMS
Action: Immediate Patch
AI Analysis

Impact

The LearnPress Export Import extension performs a delete_migrated_data action without checking user permissions, allowing any visitor to trigger the function. This missing capability check leads to unauthorized removal of course content that was migrated from Tutor LMS, compromising data integrity and availability. The vulnerability is rooted in the lack of proper authorization controls (CWE‑862).

Affected Systems

The vulnerability affects the thimpress LearnPress – Backup & Migration Tool plugin, all versions up to and including 4.1.0. Its exploitation requires the Tutor LMS plugin to be installed and activated on the target WordPress installation.

Risk and Exploitability

The CVSS v3 score of 4.8 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attackers do not need any prior authentication; they simply need access to the site’s front‑end or back‑end to trigger the vulnerable endpoint. The prerequisite of having Tutor LMS installed limits the affected audience, but once that condition is met, any visitor can delete migrated course data, potentially causing significant data loss.

Generated by OpenCVE AI on April 15, 2026 at 18:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the LearnPress Export Import extension to the latest available version, or apply the vendor‑provided patch, to reinstate proper capability checks.
  • If the site does not rely on Tutor LMS, uninstall or deactivate that plugin to remove the necessary prerequisite for exploitation.
  • Verify that only privileged administrators possess the delete_migrated_data capability, review user role assignments, and eliminate any unauthorized links or functionalities that expose this capability to general users.

Generated by OpenCVE AI on April 15, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress learnpress – Backup & Migration Tool
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress learnpress – Backup & Migration Tool
Wordpress
Wordpress wordpress

Sat, 21 Feb 2026 10:45:00 +0000

Type Values Removed Values Added
Description The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.
Title LearnPress Export Import <= 4.1.0 - Missing Authentication to Unauthenticated Migrated Course Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Thimpress Learnpress – Backup & Migration Tool
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:34.129Z

Reserved: 2026-02-03T01:03:46.808Z

Link: CVE-2026-1787

cve-icon Vulnrichment

Updated: 2026-02-24T18:02:35.636Z

cve-icon NVD

Status : Deferred

Published: 2026-02-21T11:15:55.813

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1787

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses