CVE-2026-7565
Description
LearnPress Backup & Migration Tool plugin for WordPress is vulnerable to arbitrary file read via directory traversal, allowing authenticated administrators to read sensitive server files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LearnPress Backup & Migration Tool plugin for WordPress is vulnerable to arbitrary file read via directory traversal, allowing authenticated administrators to read sensitive server files.
Vulnerability
The LearnPress – Backup & Migration Tool plugin for WordPress, in all versions up to and including 4.1.4, suffers from an Arbitrary File Read vulnerability. This vulnerability is triggered through the import-user-file parameter, allowing directory traversal.
Exploitation
An authenticated attacker with administrator-level access or higher can exploit this vulnerability. The attacker needs to send a crafted request to the plugin, specifically manipulating the import-user-file parameter to include a path traversal sequence, thereby accessing arbitrary files on the server.
Impact
Successful exploitation allows an attacker to read the contents of arbitrary files on the server. This can lead to the disclosure of sensitive information, such as configuration files, credentials, or other private data, depending on the files accessible by the web server process.
Mitigation
Versions of the LearnPress – Backup & Migration Tool plugin up to and including 4.1.4 are affected. The vendor has released version 4.1.5, which addresses this vulnerability. Users are advised to update to version 4.1.5 or later. The update was released on 2026-05-25 [1].
AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=4.1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
8- plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.1/inc/admin/providers/learnpress/class-lp-import-user-data.phpnvd
- plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.1/inc/admin/providers/learnpress/class-lp-import-user-data.phpnvd
- plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.4/inc/admin/providers/learnpress/class-lp-import-user-data.phpnvd
- plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.4/inc/admin/providers/learnpress/class-lp-import-user-data.phpnvd
- plugins.trac.wordpress.org/browser/learnpress-import-export/trunk/inc/admin/providers/learnpress/class-lp-import-user-data.phpnvd
- plugins.trac.wordpress.org/browser/learnpress-import-export/trunk/inc/admin/providers/learnpress/class-lp-import-user-data.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/0f6d0ba7-f9e8-493b-9e6d-62f1c662e21envd
News mentions
0No linked articles in our index yet.