CVE-2026-1787
📋 TL;DR
The LearnPress Export Import WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to delete migrated course data. This affects all WordPress sites using the plugin version 4.1.0 or earlier when Tutor LMS is also installed. Attackers can exploit this without any authentication to cause data loss.
💻 Affected Systems
- LearnPress Export Import WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete deletion of all courses migrated from Tutor LMS, causing permanent data loss and disruption to educational content.
Likely Case
Selective deletion of migrated courses, potentially disrupting specific educational programs or user access to course materials.
If Mitigated
No impact if proper access controls are implemented or vulnerable plugin is removed/updated.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint can trigger data deletion. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3458589/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'LearnPress Export Import' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.1.1+ from WordPress repository and replace files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the LearnPress Export Import plugin until patched
wp plugin deactivate learnpress-import-export
Remove Tutor LMS dependency
allDeactivate or remove Tutor LMS plugin to eliminate exploitation vector
wp plugin deactivate tutor
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to the vulnerable endpoint
- Restrict access to WordPress admin functions using IP whitelisting or authentication proxies
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > LearnPress Export Import version. If version is 4.1.0 or earlier, you are vulnerable.Check Version:
wp plugin get learnpress-import-export --field=versionVerify Fix Applied:
After update, confirm plugin version shows 4.1.1 or later in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=delete_migrated_data
- Unusual deletion events in WordPress activity logs
Network Indicators:
- Unauthenticated POST requests to WordPress admin-ajax endpoint with suspicious parameters
SIEM Query:
source="wordpress.log" AND "delete_migrated_data" AND NOT user="authenticated_user"