CVE-2026-7565

LearnPress <= 4.1.4 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'import-user-file' Parameter

mediumImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
4.9
CVSS Score
4.9
CVSS Score
medium
Severity
4.1.5
Patched in
1d
Time to patch

Description

The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the 'import-user-file' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=4.1.4
PublishedJune 5, 2026
Last updatedJune 6, 2026

What Changed in the Fix

Changes introduced in v4.1.5

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-7565 ## 1. Vulnerability Summary The **LearnPress – Backup & Migration Tool** plugin (versions <= 4.1.4) contains an authenticated path traversal vulnerability in its LearnDash migration component. The vulnerability exists because the plugin fails to sanitize…

Show full research plan

Exploitation Research Plan - CVE-2026-7565

1. Vulnerability Summary

The LearnPress – Backup & Migration Tool plugin (versions <= 4.1.4) contains an authenticated path traversal vulnerability in its LearnDash migration component. The vulnerability exists because the plugin fails to sanitize or validate the file path provided in the import-user-file parameter during migration operations. An authenticated user with Administrator privileges can exploit this to read arbitrary files from the server, including sensitive configuration files like wp-config.php.

2. Attack Vector Analysis

  • Endpoint: WordPress REST API endpoint for LearnDash migration. Based on the patterns in MasterStudyMigrationController.php and TutorMigrationController.php, the endpoint is:
    POST /wp-json/learnpress-import-export/v1/migrate/learndash
  • Vulnerable Parameter: import-user-file
  • Authentication Required: Administrator-level access (current_user_can( 'administrator' )).
  • Preconditions: The plugin must be active. The LearnDash migration "Option B" (import from file) must be reachable, though the REST endpoint is likely accessible directly.

3. Code Flow

While the exact LearnDashMigrationController source was not provided, we can trace the flow based on LearnDashStudentDataMigration.php and the provided MasterStudy/Tutor controllers:

  1. The controller (e.g., LPImportExport\Migration\Controllers\LearnDashMigrationController) registers a REST route under the namespace generated by RestApi::generate_namespace() (likely learnpress-import-export/v1).
  2. The migrate callback is triggered via a POST request to /migrate/learndash.
  3. The callback retrieves the import-user-file parameter from the request: $file_path = $request->get_param( 'import-user-file' );.
  4. The code logic for "Option B" migration (implied by comments in LearnDashStudentDataMigration.php) attempts to load this file to process LearnDash JSON data.
  5. Vulnerable Sink: The file path is passed to a file system function (e.g., file_get_contents() or wp_remote_get() with a file:// wrapper) without traversal sanitization (no basename() or check against a whitelist).
  6. The content of the file is either returned in the response or included in an error message if parsing fails.

4. Nonce Acquisition Strategy

The REST API endpoints for this plugin are protected by standard WordPress REST API authentication. To make an authenticated POST request, the agent needs an X-WP-Nonce header.

  1. Identify Nonce Source: The plugin enqueues a global object LP_ADDON_IMPORT_EXPORT_GLOBAL_OBJECT (see EnqueueScriptsController.php, line 150), but this object does not contain a specific nonce.
  2. Standard REST Nonce: Logged-in administrators can use the default WordPress REST nonce.
  3. Procedure:
    • Log in as an Administrator.
    • Navigate to any page in the WordPress admin dashboard (e.g., /wp-admin/admin.php?page=lp-migration-tool).
    • Use browser_eval to extract the REST nonce from the WordPress core settings:
      browser_eval("window.wpApiSettings.nonce")
    • This nonce should be used in the X-WP-Nonce header for the exploit request.

5. Exploitation Strategy

The goal is to read wp-config.php.

  • Step 1: Authenticate as an administrator and obtain the X-WP-Nonce.
  • Step 2: Construct the payload for the import-user-file parameter using path traversal sequences: ../../../../wp-config.php.
  • Step 3: Send a POST request to the LearnDash migration endpoint.

HTTP Request Details:

  • Method: POST
  • URL: http://<target>/wp-json/learnpress-import-export/v1/migrate/learndash
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
    • X-WP-Nonce: <EXTRACTED_NONCE>
  • Body:
    item=student&paged=1&number=1&import-user-file=../../../../../../wp-config.php

Note: The item, paged, and number parameters are included to mimic legitimate migration requests seen in the Tutor/MasterStudy controllers.

6. Test Data Setup

  1. Install and activate the LearnPress plugin.
  2. Install and activate the LearnPress – Backup & Migration Tool (version 4.1.4).
  3. Create an administrator user.
  4. Ensure wp-config.php exists in the standard location.
  5. (Optional) Ensure LearnDash is "active" if the plugin performs an activity check (see Plugin::is_learndash_active() in inc/Migration/Helpers/Plugin.php), although the REST route registration might not be blocked.

7. Expected Results

  • Successful Exploitation: The HTTP response (likely a 200 OK or a 500 Internal Server Error with details) will contain the raw PHP code of wp-config.php or a specific error message leakaing the content:
    • "Failed to parse JSON: <?php ... define('DB_PASSWORD', '...'); ... ?>"
  • Failure: A 403 Forbidden (missing permissions/nonce) or 404 Not Found (incorrect endpoint).

8. Verification Steps

  1. Examine Response: Check the response body for the string DB_NAME or DB_PASSWORD, which confirms wp-config.php was read.
  2. WP-CLI Check: Verify the file content matches the actual wp-config.php on the server:
    wp config get DB_NAME
  3. Confirm Path Traversal: Try reading /etc/passwd to confirm traversal beyond the WordPress root.

9. Alternative Approaches

If the LearnDash migration endpoint requires specific items to be present:

  • Try Other Controllers: Check if MasterStudyMigrationController or TutorMigrationController also accept file parameters in their migrate methods (though not visible in the provided snippets, developers often reuse vulnerable patterns).
  • Try Different Items: Change item=student to item=course or item=quiz if the logic differs.
  • Protocol Wrapper: If the direct path is blocked, try file:///var/www/html/wp-config.php.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.