CVE-2026-1787
Unauthorized Data Deletion in LearnPress Export Import Plugin
Publication date: 2026-02-21
Last updated on: 2026-02-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thimpress | learnpress_import_export | 4.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the LearnPress Export Import WordPress extension for the LearnPress plugin. It is caused by a missing capability check on the 'delete_migrated_data' function in all versions up to and including 4.1.0. This flaw allows unauthenticated attackers to delete courses that have been migrated from the Tutor LMS plugin, provided that Tutor LMS is installed and activated.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized deletion of migrated course data from Tutor LMS within the LearnPress plugin. An attacker without authentication can exploit this to delete important educational content, causing data loss and disruption of course availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized deletion of migrated course data via the 'delete_migrated_data' REST API endpoint in the LearnPress Export Import plugin for WordPress. Detection can focus on monitoring REST API calls to the endpoint '/delete-migrated-data/tutor'."}, {'type': 'paragraph', 'content': "You can detect potential exploitation attempts by checking your web server logs or WordPress access logs for DELETE requests to the '/wp-json/lp-import-export/v1/delete-migrated-data/tutor' endpoint (the exact REST route prefix may vary depending on plugin configuration)."}, {'type': 'list_item', 'content': "Use command-line tools like grep to search for suspicious DELETE requests in your access logs, for example: `grep 'DELETE /wp-json/lp-import-export/v1/delete-migrated-data/tutor' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Monitor WordPress REST API logs or enable logging plugins that capture REST API calls to identify unauthorized access attempts.'}, {'type': 'list_item', 'content': 'Check for unexpected deletion of courses migrated from Tutor LMS by reviewing the WordPress admin interface or querying the database for missing migrated course entries.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, immediate steps include restricting access to the vulnerable REST API endpoint and updating the plugin.'}, {'type': 'list_item', 'content': "Update the LearnPress Export Import plugin to a version later than 4.1.0 where the missing capability check on the 'delete_migrated_data' function is fixed."}, {'type': 'list_item', 'content': "If an update is not immediately available, restrict access to the REST API endpoint '/delete-migrated-data/tutor' by implementing firewall rules or web server access controls to block unauthenticated DELETE requests."}, {'type': 'list_item', 'content': 'Disable or deactivate the LearnPress Export Import plugin if the migration functionality is not required.'}, {'type': 'list_item', 'content': 'Ensure that the Tutor LMS plugin is only installed and activated if necessary, as the vulnerability requires Tutor LMS to be active to be exploitable.'}] [2]