CVE-2026-7565: LearnPress Plugin Directory Traversal Allows Arbitrary File Read
The LearnPress – Backup & Migration Tool plugin for WordPress contains a flaw that allows site administrators to read files from anywhere on the server by manipulating a parameter called 'import-user-file'. While this requires admin-level access to exploit, the impact is serious: attackers with those credentials could retrieve sensitive configuration files, database credentials, or other confidential data stored on the server.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the 'import-user-file' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7565 is a directory traversal vulnerability (CWE-22) in the LearnPress – Backup & Migration Tool plugin versions up to 4.1.4. The 'import-user-file' parameter fails to properly validate or sanitize file paths, enabling path traversal sequences (e.g., '../../../etc/passwd') to escape the intended directory and access arbitrary files on the filesystem. Authentication as an administrator is required, but the vulnerability imposes no additional interaction requirements once an authenticated session exists.
Business impact
For WordPress sites running this plugin, the primary risk is exposure of sensitive server-side data accessible to malicious insiders or compromised administrator accounts. This could include database credentials, API keys stored in configuration files, or user personally identifiable information. The impact is confined to confidentiality; the vulnerability does not enable file modification or system compromise. Organizations relying on admin credential compartmentalization should assess whether overprivileged accounts have access to this plugin.
Affected systems
LearnPress – Backup & Migration Tool plugin for WordPress, all versions up to and including 4.1.4. The vulnerability is present across all installations of this plugin version range on any WordPress site, but exploitation requires administrator-level access.
Exploitability
Exploitability is limited by privilege requirements: an attacker must already possess administrator-level credentials or have compromised an admin account. The attack is straightforward once authenticated—no special tools or user interaction are needed—but the barrier to entry is high. CVSS 3.1 score of 4.9 (MEDIUM) reflects high confidentiality impact offset by the requirement for high privileges. This is not a zero-click or unauthenticated vulnerability.
Remediation
Update the LearnPress – Backup & Migration Tool plugin to a version containing a security patch. Verify against the official plugin repository or vendor advisory for the patched version number. In the interim, restrict administrator role assignment to trusted users only and monitor admin accounts for suspicious activity. Consider disabling or removing the plugin if it is not actively used.
Patch guidance
Check the official LearnPress plugin page on WordPress.org or the vendor's advisory for version 4.1.5 or later, which should address this directory traversal flaw. Apply patches through the WordPress dashboard or by manual update if your site uses the free plugin version. If you use a commercial LearnPress variant, consult the vendor's release notes to confirm the fix version. Test the update on a staging environment before deploying to production.
Detection guidance
Monitor web server and WordPress logs for suspicious 'import-user-file' parameter values containing path traversal sequences ('../' or encoded equivalents). Check administrator account login history for unexpected or unusual access patterns. If you suspect exploitation, review filesystem access logs and consider checking for unauthorized file reads in your server's audit trail. Web application firewalls (WAF) can be configured to detect and block directory traversal attempts in plugin parameters.
Why prioritize this
Although the CVSS score is MEDIUM (4.9), this vulnerability merits prompt attention because: (1) it targets a backup and migration tool—precisely the kind of plugin handling sensitive data; (2) exploitation is trivial once authenticated; (3) administrator accounts are often shared or insufficiently monitored; and (4) data exposure can have compliance implications. Organizations should treat this as a standard security maintenance task but not an emergency if admin access is tightly controlled.
Risk score, explained
CVSS 3.1 assigns 4.9/10 (MEDIUM) based on: high confidentiality impact (C:H) and no integrity or availability impact; network-accessible attack vector; low attack complexity; but critically, high privilege requirement (PR:H). The score reflects that while the damage from reading arbitrary files is severe, the need for administrator credentials significantly reduces real-world likelihood. Your actual risk depends on how many users have admin access and how well you monitor those accounts.
Frequently asked questions
Do I need to update immediately?
If your site restricts administrator access to a small number of trusted users and you monitor admin logins, you have some time to plan the update. However, update within your normal patch cycle (within 1–2 weeks) to avoid drift. If admin access is broadly distributed or your site is publicly exposed, prioritize the update sooner.
Can this vulnerability be exploited remotely by someone without an account?
No. Exploitation requires administrator-level WordPress credentials. A remote attacker would first need to compromise or steal admin credentials through a separate attack (phishing, weak password, etc.) before they could exploit this vulnerability.
What files could be read?
Any file readable by the web server process on the server can be accessed, potentially including wp-config.php (database credentials), .htaccess, other plugin files, or system configuration files depending on file permissions. This is why containment to trusted admins is critical.
Is there a workaround if I cannot patch immediately?
The most effective workaround is to remove or disable the plugin if you don't actively use it for backups. If you do use it, restrict the WordPress administrator role to a small number of trusted, monitored accounts and consider using role management plugins to limit broad admin privileges.
This analysis is provided for informational and vulnerability management purposes. SEC.co does not guarantee the completeness or accuracy of third-party vulnerability data; always consult the official vendor advisory and test patches in a non-production environment before deployment. This vulnerability requires administrator credentials to exploit; it is not a critical zero-day. The above guidance is general and should be tailored to your specific security policies and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-10213MEDIUMAstrBot 4.23.6 Path Traversal in API Endpoint