Description
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Published: 2026-06-06
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin deserializes untrusted XML files during import, enabling PHP Object Injection for users with Administrator+ privileges. An attacker can supply crafted data that causes a malicious object to be instantiated. Since the plugin itself contains no pre‑existing POP chain, the flaw alone cannot execute code or modify files. However, if another plugin or theme on the same WordPress site implements a POP chain, the injected object can be leveraged to delete or read files, exfiltrate sensitive information, or run arbitrary code, depending on the chain present.

Affected Systems

Vulnerable versions are all releases of LearnPress – Backup & Migration Tool up to and including 4.1.4, distributed by thimpress. No other product or version is explicitly listed as affected.

Risk and Exploitability

The CVSS score of 6.6 indicates a moderate severity flaw. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated Administrator access and a compatible POP chain in a companion plugin or theme; without such a chain the impact is limited to data model tampering. The threat remains conditional on the presence of additional vulnerable code on the site.

Generated by OpenCVE AI on June 6, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LearnPress – Backup & Migration Tool to the latest version once the vendor releases a patch that eliminates the deserialization flaw.
  • Disable or restrict the import/export feature so that only the most trusted administrators can use it, or remove the feature entirely if it is not needed.
  • Review all other active plugins and themes for PHP Object Propagation chains; upgrade or remove any components that allow deserialization of untrusted data.

Generated by OpenCVE AI on June 6, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress learnpress – Backup & Migration Tool
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress learnpress – Backup & Migration Tool
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title LearnPress – Backup & Migration Tool <= 4.1.4 - Authenticated (Administrator+) PHP Object Injection via WXR XML File Upload
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Thimpress Learnpress – Backup & Migration Tool
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:48:35.895Z

Reserved: 2026-04-30T20:29:27.858Z

Link: CVE-2026-7566

cve-icon Vulnrichment

Updated: 2026-06-06T11:48:31.249Z

cve-icon NVD

Status : Received

Published: 2026-06-06T04:17:39.530

Modified: 2026-06-06T04:17:39.530

Link: CVE-2026-7566

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T05:00:14Z

Weaknesses