CVE-2026-7566
PHP Object Injection in LearnPress Backup & Migration Tool
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thimpress | learnpress_backup_migration_tool | to 4.1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with administrator-level access to perform malicious actions such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code on the affected WordPress site.
The actual impact depends on the presence of a POP chain in other installed plugins or themes, which would enable these actions.
Can you explain this vulnerability to me?
The LearnPress β Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 4.1.4. This vulnerability arises from the deserialization of untrusted input, allowing authenticated users with administrator-level access or higher to inject a PHP object.
However, there is no known POP (Property Oriented Programming) chain present in the vulnerable plugin itself, so the vulnerability only has an impact if another plugin or theme containing a POP chain is installed on the same site.
If such a POP chain exists via an additional plugin or theme, an attacker could potentially delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain available.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects all versions of the LearnPress β Backup & Migration Tool plugin up to and including 4.1.4. Immediate mitigation steps include updating the plugin to a version later than 4.1.4 where the vulnerability is fixed.
Additionally, since the vulnerability requires administrator-level access and the presence of a PHP Object Injection POP chain in another plugin or theme to be exploitable, reviewing and limiting installed plugins and themes to trusted sources can reduce risk.
If updating is not immediately possible, restricting administrator access and monitoring for suspicious activity related to plugin deserialization may help mitigate exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with administrator-level access to potentially delete arbitrary files, retrieve sensitive data, or execute code if a POP chain is present via an additional plugin or theme. This exposure of sensitive data and potential unauthorized actions could negatively impact compliance with standards and regulations such as GDPR and HIPAA, which require protection of sensitive information and system integrity.
However, the vulnerability itself requires the presence of another plugin or theme containing a POP chain to be exploitable, which may limit the direct impact.