Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-7565

CVE-2026-7565: LearnPress Plugin Path Traversal Flaw

CVE-2026-7565 is a path traversal vulnerability in the LearnPress Backup & Migration Tool plugin for WordPress that allows authenticated administrators to read arbitrary files on the server, exposing sensitive data. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2026-7565 Overview

CVE-2026-7565 is a directory traversal vulnerability [CWE-22] in the LearnPress – Backup & Migration Tool plugin for WordPress. The flaw affects all plugin versions up to and including 4.1.4. The import-user-file parameter accepts attacker-controlled paths without proper sanitization, allowing arbitrary file read on the underlying server. Exploitation requires authenticated access at the administrator level or higher. Successful attacks expose configuration files, credentials, and other sensitive data stored on the host.

Critical Impact

Authenticated administrators can read arbitrary files on the WordPress server, including wp-config.php and other sensitive system files containing database credentials and secret keys.

Affected Products

  • LearnPress – Backup & Migration Tool plugin for WordPress (versions ≤ 4.1.4)
  • WordPress sites running the learnpress-import-export plugin
  • Vulnerable code path: inc/admin/providers/learnpress/class-lp-import-user-data.php

Discovery Timeline

  • 2026-06-06 - CVE-2026-7565 published to NVD
  • 2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-7565

Vulnerability Analysis

The LearnPress Backup & Migration Tool exposes an import feature that reads user data files supplied through the import-user-file parameter. The plugin uses this parameter value to construct a file path that is then passed to a read operation. Because the path is not validated or canonicalized, an attacker can supply traversal sequences such as ../ to escape the intended import directory.

The vulnerable logic resides in class-lp-import-user-data.php at lines 150 and 190, where the file path is consumed without enforcing a base directory. An authenticated administrator can supply a path pointing to any file the WordPress process can read. Returned contents may include database credentials from wp-config.php, private keys, or system files such as /etc/passwd.

The vulnerability is limited to file read; it does not allow writing, code execution, or modification of files. However, secrets recovered through this primitive frequently enable follow-on attacks against the database, other services, or privileged WordPress functionality.

Root Cause

The root cause is insufficient input validation on the import-user-file parameter. The plugin trusts attacker-supplied path data and does not enforce that the resolved file resides within an expected import directory. The code lacks calls to realpath() validation or allow-list checks against a known base path, enabling directory traversal sequences to break out of the import scope.

Attack Vector

An authenticated user holding administrator privileges issues a request to the plugin's import endpoint and sets import-user-file to a traversal payload referencing the target file. The plugin opens the file and returns or processes its contents during the import workflow. Because administrator credentials are required, the most likely abuse scenarios involve compromised admin accounts, malicious insiders, or chained exploitation following a separate privilege escalation. Refer to the Wordfence Vulnerability Report and the source files at class-lp-import-user-data.php line 150 for technical details.

Detection Methods for CVE-2026-7565

Indicators of Compromise

  • HTTP POST requests to LearnPress import endpoints containing import-user-file parameter values with ../, ..\, or URL-encoded traversal sequences such as %2e%2e%2f.
  • Web server access log entries from administrator sessions referencing system paths such as wp-config.php, /etc/passwd, or .env files via the plugin.
  • Unexpected file read activity originating from the PHP-FPM or web server process outside the WordPress uploads and plugin directories.

Detection Strategies

  • Inspect web access logs for the import-user-file parameter and flag any values that contain path separators or traversal tokens.
  • Correlate administrator authentication events with subsequent import-export plugin activity to identify abnormal admin behavior.
  • Deploy a Web Application Firewall (WAF) rule that blocks traversal patterns on requests targeting /wp-admin/admin.php with LearnPress-related action parameters.

Monitoring Recommendations

  • Monitor file integrity and read access on sensitive files including wp-config.php, .htaccess, and any private key material on the WordPress host.
  • Audit the WordPress administrator role membership and review recent additions or privilege changes.
  • Alert on outbound traffic from the WordPress host that follows import-export plugin activity, which may indicate credential exfiltration.

How to Mitigate CVE-2026-7565

Immediate Actions Required

  • Update the LearnPress – Backup & Migration Tool plugin to a version newer than 4.1.4 as soon as a fixed release is available.
  • Disable or remove the learnpress-import-export plugin if a patched version is not yet installed and the import functionality is not in active use.
  • Rotate WordPress secret keys, database credentials, and any API tokens that may have been exposed if exploitation is suspected.
  • Review administrator accounts and enforce multi-factor authentication on all privileged WordPress users.

Patch Information

A changeset referenced in the LearnPress Changeset Overview addresses the import path handling. Administrators should upgrade through the WordPress plugin dashboard once the vendor publishes a release that includes the fix. Verify the installed version after updating to confirm it is greater than 4.1.4.

Workarounds

  • Restrict access to /wp-admin/ by IP allow-list at the web server or WAF layer to limit who can invoke administrator-only endpoints.
  • Run PHP under a least-privilege system account that cannot read sensitive files such as /etc/shadow or files outside the WordPress document root.
  • Apply a WAF signature that blocks requests where import-user-file contains .., null bytes, or absolute path prefixes.
bash
# Example ModSecurity rule to block traversal in the vulnerable parameter
SecRule ARGS:import-user-file "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/|/etc/|wp-config\.php)" \
    "id:1026756,phase:2,deny,status:403,log,msg:'CVE-2026-7565 LearnPress traversal attempt'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne