MEDIUM 6.6

CVE-2026-7566: PHP Object Injection in LearnPress Backup & Migration Tool (CVSS 6.6)

The LearnPress – Backup & Migration Tool WordPress plugin contains a PHP Object Injection flaw that allows authenticated administrators to inject malicious serialized objects into the application. By itself, this vulnerability is limited in impact because the plugin does not include a known Property-Oriented Programming (POP) chain. However, if your WordPress installation also runs other vulnerable plugins or themes that contain POP chains, an administrator could potentially weaponize this vulnerability to delete files, steal sensitive data, or execute arbitrary code on your server.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.6 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-502
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-7566 is a PHP Object Injection vulnerability (CWE-502) in LearnPress – Backup & Migration Tool versions up to 4.1.4. The vulnerability exists in the plugin's deserialization of untrusted input, allowing an authenticated administrator to inject a crafted PHP object. The severity of exploitation depends entirely on the presence of a gadget chain (POP chain) within other installed plugins or themes. Without an exploitable chain in the environment, the injected object has no actionable consequence; with one present, an attacker could achieve arbitrary file deletion, information disclosure, or remote code execution.

Business impact

For WordPress site operators, this vulnerability presents a conditional but potentially serious risk. Organizations running LearnPress on multi-plugin environments should assess whether companion plugins or themes introduce known POP gadgets. If no such gadgets exist, the immediate risk is low. However, if vulnerable chains are present, an administrator account compromise becomes a vector for full system compromise. The attack surface is limited to authenticated administrators, reducing overall organizational risk but requiring strong access controls and monitoring of administrator actions.

Affected systems

LearnPress – Backup & Migration Tool plugin in all versions up to and including 4.1.4 running on WordPress installations. The vulnerability requires administrator-level or higher access to trigger. Impact depends on the presence of additional vulnerable plugins or themes with POP chains in the same WordPress environment.

Exploitability

Exploitation requires authentication with administrator-level privileges or above, placing a high barrier to attack. The attacker must already have administrative access to craft and inject the malicious object. Practical impact is further constrained by the absence of a known POP chain within LearnPress itself; a separate vulnerable plugin or theme must be installed for the injection to have any observable effect. Overall exploitability is moderate—the access requirement is restrictive, but the attack is straightforward once prerequisites are met.

Remediation

Update LearnPress – Backup & Migration Tool to a version beyond 4.1.4 as soon as patched versions are available. Audit all installed plugins and themes for known POP chains or gadget chains that could amplify this vulnerability. Implement strict access controls on administrator accounts, use Web Application Firewalls (WAF) with serialization detection rules, and monitor WordPress core logging for suspicious admin actions or object injection attempts. Consider disabling or removing the plugin if it is not actively used.

Patch guidance

Verify that the plugin vendor has released a patched version beyond 4.1.4. Once available, apply the patch during a maintenance window and test thoroughly in a staging environment before production deployment. If no patch has been released, consider alternative backup and migration solutions or deactivate the plugin until remediation is available. Check the vendor's advisory channel directly for patch release timelines.

Detection guidance

Monitor WordPress debug logs and security plugins for deserialization warnings or suspicious object injection attempts. Audit administrator action logs for unexpected plugin or theme configuration changes. Deploy WordPress-focused security tools capable of detecting serialized object injection patterns in POST requests targeting the plugin's endpoints. Network-level detection is challenging without WAF rules configured to flag serialization attacks. Regularly scan installed plugins and themes against known gadget chain databases to assess environmental risk.

Why prioritize this

Although rated MEDIUM (CVSS 6.6), this vulnerability should be prioritized based on your installed plugin ecosystem. Environments with numerous plugins face higher risk if POP chains exist. However, organizations running minimal plugins or using hardened WordPress configurations may deprioritize remediation if no vulnerable companion plugins are identified. Authentication requirement and dependency on external gadgets reduce urgency compared to critical unauthenticated RCE flaws, but the conditional nature means risk assessment must account for your specific setup.

Risk score, explained

The CVSS 3.1 score of 6.6 (MEDIUM) reflects high potential impact (confidentiality, integrity, availability all scored HIGH) but is moderated by high attack complexity (AC:H) and requirement for high-privilege authentication (PR:H). The score assumes a POP chain is present; in environments where no gadget chain exists, practical risk is lower. The score is not an absolute risk rating for your environment—it is a generic baseline that requires contextualization based on your plugin inventory and administrator account security posture.

Frequently asked questions

Can this vulnerability be exploited without administrator access?

No. The vulnerability explicitly requires administrator-level access or higher to inject the malicious object. Unauthenticated or lower-privilege users cannot exploit it.

What is a POP chain and why does it matter for this vulnerability?

A Property-Oriented Programming (POP) chain is a sequence of gadgets in existing code that an attacker can chain together to achieve malicious objectives (file deletion, data theft, code execution). LearnPress itself has no known chain, so an attacker needs vulnerable gadgets from another plugin or theme to make the injection actionable. Without a chain, the injected object has no effect.

How do I know if my WordPress site has a vulnerable POP chain?

Audit your installed plugins and themes against public gadget chain databases and security advisories. Security scanning tools and WAF solutions can help identify known vulnerable components. If your site runs only essential, regularly-updated plugins with no known POP chains, your risk is significantly lower.

If I update LearnPress, is the vulnerability fully resolved?

Verify the patch version against the vendor's advisory to confirm the deserialization flaw is fixed. Updating removes the injection point, but you should also ensure no other plugins contain exploitable POP chains to reduce your overall attack surface.

This analysis is provided for educational and risk management purposes. The information is current as of the publication date and based on publicly available data. CVSS scores are generic baselines; actual organizational risk depends on your specific environment, installed plugins, and administrator account security. No known public exploit exists at time of publication. Always verify patch availability and compatibility with your WordPress version and plugins before deploying updates. Test in a non-production environment first. For the most current vulnerability details and patch status, consult the official vendor advisory and your security scanning tools. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).