MEDIUM 4.9

CVE-2026-7565: LearnPress Plugin Directory Traversal Allows Arbitrary File Read

The LearnPress – Backup & Migration Tool plugin for WordPress contains a flaw that allows site administrators to read files from anywhere on the server by manipulating a parameter called 'import-user-file'. While this requires admin-level access to exploit, the impact is serious: attackers with those credentials could retrieve sensitive configuration files, database credentials, or other confidential data stored on the server.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the 'import-user-file' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-7565 is a directory traversal vulnerability (CWE-22) in the LearnPress – Backup & Migration Tool plugin versions up to 4.1.4. The 'import-user-file' parameter fails to properly validate or sanitize file paths, enabling path traversal sequences (e.g., '../../../etc/passwd') to escape the intended directory and access arbitrary files on the filesystem. Authentication as an administrator is required, but the vulnerability imposes no additional interaction requirements once an authenticated session exists.

Business impact

For WordPress sites running this plugin, the primary risk is exposure of sensitive server-side data accessible to malicious insiders or compromised administrator accounts. This could include database credentials, API keys stored in configuration files, or user personally identifiable information. The impact is confined to confidentiality; the vulnerability does not enable file modification or system compromise. Organizations relying on admin credential compartmentalization should assess whether overprivileged accounts have access to this plugin.

Affected systems

LearnPress – Backup & Migration Tool plugin for WordPress, all versions up to and including 4.1.4. The vulnerability is present across all installations of this plugin version range on any WordPress site, but exploitation requires administrator-level access.

Exploitability

Exploitability is limited by privilege requirements: an attacker must already possess administrator-level credentials or have compromised an admin account. The attack is straightforward once authenticated—no special tools or user interaction are needed—but the barrier to entry is high. CVSS 3.1 score of 4.9 (MEDIUM) reflects high confidentiality impact offset by the requirement for high privileges. This is not a zero-click or unauthenticated vulnerability.

Remediation

Update the LearnPress – Backup & Migration Tool plugin to a version containing a security patch. Verify against the official plugin repository or vendor advisory for the patched version number. In the interim, restrict administrator role assignment to trusted users only and monitor admin accounts for suspicious activity. Consider disabling or removing the plugin if it is not actively used.

Patch guidance

Check the official LearnPress plugin page on WordPress.org or the vendor's advisory for version 4.1.5 or later, which should address this directory traversal flaw. Apply patches through the WordPress dashboard or by manual update if your site uses the free plugin version. If you use a commercial LearnPress variant, consult the vendor's release notes to confirm the fix version. Test the update on a staging environment before deploying to production.

Detection guidance

Monitor web server and WordPress logs for suspicious 'import-user-file' parameter values containing path traversal sequences ('../' or encoded equivalents). Check administrator account login history for unexpected or unusual access patterns. If you suspect exploitation, review filesystem access logs and consider checking for unauthorized file reads in your server's audit trail. Web application firewalls (WAF) can be configured to detect and block directory traversal attempts in plugin parameters.

Why prioritize this

Although the CVSS score is MEDIUM (4.9), this vulnerability merits prompt attention because: (1) it targets a backup and migration tool—precisely the kind of plugin handling sensitive data; (2) exploitation is trivial once authenticated; (3) administrator accounts are often shared or insufficiently monitored; and (4) data exposure can have compliance implications. Organizations should treat this as a standard security maintenance task but not an emergency if admin access is tightly controlled.

Risk score, explained

CVSS 3.1 assigns 4.9/10 (MEDIUM) based on: high confidentiality impact (C:H) and no integrity or availability impact; network-accessible attack vector; low attack complexity; but critically, high privilege requirement (PR:H). The score reflects that while the damage from reading arbitrary files is severe, the need for administrator credentials significantly reduces real-world likelihood. Your actual risk depends on how many users have admin access and how well you monitor those accounts.

Frequently asked questions

Do I need to update immediately?

If your site restricts administrator access to a small number of trusted users and you monitor admin logins, you have some time to plan the update. However, update within your normal patch cycle (within 1–2 weeks) to avoid drift. If admin access is broadly distributed or your site is publicly exposed, prioritize the update sooner.

Can this vulnerability be exploited remotely by someone without an account?

No. Exploitation requires administrator-level WordPress credentials. A remote attacker would first need to compromise or steal admin credentials through a separate attack (phishing, weak password, etc.) before they could exploit this vulnerability.

What files could be read?

Any file readable by the web server process on the server can be accessed, potentially including wp-config.php (database credentials), .htaccess, other plugin files, or system configuration files depending on file permissions. This is why containment to trusted admins is critical.

Is there a workaround if I cannot patch immediately?

The most effective workaround is to remove or disable the plugin if you don't actively use it for backups. If you do use it, restrict the WordPress administrator role to a small number of trusted, monitored accounts and consider using role management plugins to limit broad admin privileges.

This analysis is provided for informational and vulnerability management purposes. SEC.co does not guarantee the completeness or accuracy of third-party vulnerability data; always consult the official vendor advisory and test patches in a non-production environment before deployment. This vulnerability requires administrator credentials to exploit; it is not a critical zero-day. The above guidance is general and should be tailored to your specific security policies and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).