CVE-2026-7566: LearnPress Backup & Migration RCE Flaw

CVE-2026-7566 Overview

The LearnPress – Backup & Migration Tool plugin for WordPress contains a PHP Object Injection vulnerability in all versions up to and including 4.1.4. The flaw stems from deserialization of untrusted input [CWE-502], allowing authenticated attackers with administrator-level access to inject arbitrary PHP objects. The vulnerable plugin does not ship with a Property-Oriented Programming (POP) chain, so direct impact is limited. However, if a POP chain exists in another installed plugin or theme, attackers can chain the injection to delete files, exfiltrate sensitive data, or execute code.

Critical Impact
Authenticated administrators can trigger PHP Object Injection that, when combined with a POP chain from any other installed plugin or theme, may lead to arbitrary file deletion, data disclosure, or remote code execution.

Affected Products

LearnPress – Backup & Migration Tool plugin for WordPress (versions ≤ 4.1.4)
WordPress installations running the learnpress-import-export plugin
Sites where additional plugins or themes provide an exploitable POP chain

Discovery Timeline

2026-06-06 - CVE-2026-7566 published to the National Vulnerability Database (NVD)
2026-06-08 - CVE-2026-7566 last updated in NVD database

Technical Details for CVE-2026-7566

Vulnerability Analysis

The vulnerability resides in the import functionality of the LearnPress Backup & Migration Tool. The plugin calls PHP deserialization routines against attacker-controlled input during the import workflow. Code paths in inc/admin/providers/learnpress/class-lp-import-learnpress.php and inc/parsers.php process serialized data without validating its origin or type. An authenticated administrator can submit a crafted import payload that instantiates arbitrary PHP objects in the application context. The plugin itself contains no usable gadget chain, so exploitation depends on a magic method (such as __destruct, __wakeup, or __toString) being reachable through a separately installed component.

Root Cause

The root cause is unsafe deserialization of untrusted input. The plugin passes user-supplied data from import operations into unserialize() without first validating structure, signing the data, or restricting allowed classes. PHP object instantiation during deserialization triggers magic methods, which can be abused when reachable gadgets exist in the runtime.

Attack Vector

Exploitation requires network access to the WordPress administration interface and an account with administrator privileges. The attacker uploads or submits a crafted serialized payload through the plugin's import functionality. When the plugin deserializes the payload, attacker-controlled objects are instantiated. If a POP chain is reachable through another installed plugin, theme, or WordPress component, the resulting magic-method invocation chain can produce file deletion, sensitive data retrieval, or arbitrary code execution. The high privilege requirement and dependency on a third-party gadget chain explain the elevated attack complexity reflected in the scoring.

No verified public exploit code is available. Technical details are documented in the Wordfence Vulnerability Report and in the WordPress Plugin Code Reference.

Detection Methods for CVE-2026-7566

Indicators of Compromise

Import requests to the LearnPress Backup & Migration Tool containing serialized PHP markers such as O:, a:, or s: in unexpected fields.
Unexpected file deletions, new PHP files in wp-content/, or modifications to plugin and theme directories following an import event.
Administrator session activity from unusual IP addresses immediately preceding plugin import operations.

Detection Strategies

Inspect HTTP POST bodies sent to plugin import endpoints for serialized object patterns and reject or alert on payloads containing class instantiation tokens.
Monitor PHP error logs for __wakeup, __destruct, or autoloader warnings originating from the learnpress-import-export plugin path.
Correlate WordPress audit log entries for plugin imports with subsequent file system writes or outbound network connections from the PHP worker process.

Monitoring Recommendations

Enable file integrity monitoring on wp-content/plugins/ and wp-content/themes/ to flag changes that follow administrator import activity.
Centralize WordPress, web server, and PHP-FPM logs in a SIEM to track administrator actions and deserialization-related errors.
Track installed plugins and themes against known POP chain advisories to identify gadget exposure on each site.

How to Mitigate CVE-2026-7566

Immediate Actions Required

Update the LearnPress – Backup & Migration Tool plugin to version 4.1.5 or later, where the vulnerable code path was modified (see functions.php at tag 4.1.5).
Audit administrator accounts, enforce strong passwords, and require multi-factor authentication on every privileged WordPress user.
Inventory all installed plugins and themes and remove unused components that could supply a POP gadget chain.

Patch Information

The vendor addressed the issue in version 4.1.5 of the learnpress-import-export plugin. The fix is referenced in the WordPress plugin repository at tags/4.1.5/inc/functions.php#L384. Administrators should apply the update through the WordPress dashboard or via WP-CLI and verify the installed version after deployment.

Workarounds

Deactivate and remove the LearnPress – Backup & Migration Tool plugin until the patched version is installed.
Restrict access to the WordPress admin interface using IP allowlisting, VPN access, or a web application firewall rule blocking serialized payloads on plugin import endpoints.
Reduce the number of accounts with the administrator role and apply the principle of least privilege to limit who can trigger import operations.

bash

# Update the plugin via WP-CLI to remediate CVE-2026-7566
wp plugin update learnpress-import-export --version=4.1.5
wp plugin list --name=learnpress-import-export --fields=name,status,version