LearnPress <= 4.1.4 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'import-user-file' Parameter
Description
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the 'import-user-file' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=4.1.4What Changed in the Fix
Changes introduced in v4.1.5
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-7565 ## 1. Vulnerability Summary The **LearnPress – Backup & Migration Tool** plugin (versions <= 4.1.4) contains an authenticated path traversal vulnerability in its LearnDash migration component. The vulnerability exists because the plugin fails to sanitize…
Show full research plan
Exploitation Research Plan - CVE-2026-7565
1. Vulnerability Summary
The LearnPress – Backup & Migration Tool plugin (versions <= 4.1.4) contains an authenticated path traversal vulnerability in its LearnDash migration component. The vulnerability exists because the plugin fails to sanitize or validate the file path provided in the import-user-file parameter during migration operations. An authenticated user with Administrator privileges can exploit this to read arbitrary files from the server, including sensitive configuration files like wp-config.php.
2. Attack Vector Analysis
- Endpoint: WordPress REST API endpoint for LearnDash migration. Based on the patterns in
MasterStudyMigrationController.phpandTutorMigrationController.php, the endpoint is:POST /wp-json/learnpress-import-export/v1/migrate/learndash - Vulnerable Parameter:
import-user-file - Authentication Required: Administrator-level access (
current_user_can( 'administrator' )). - Preconditions: The plugin must be active. The LearnDash migration "Option B" (import from file) must be reachable, though the REST endpoint is likely accessible directly.
3. Code Flow
While the exact LearnDashMigrationController source was not provided, we can trace the flow based on LearnDashStudentDataMigration.php and the provided MasterStudy/Tutor controllers:
- The controller (e.g.,
LPImportExport\Migration\Controllers\LearnDashMigrationController) registers a REST route under the namespace generated byRestApi::generate_namespace()(likelylearnpress-import-export/v1). - The
migratecallback is triggered via aPOSTrequest to/migrate/learndash. - The callback retrieves the
import-user-fileparameter from the request:$file_path = $request->get_param( 'import-user-file' );. - The code logic for "Option B" migration (implied by comments in
LearnDashStudentDataMigration.php) attempts to load this file to process LearnDash JSON data. - Vulnerable Sink: The file path is passed to a file system function (e.g.,
file_get_contents()orwp_remote_get()with afile://wrapper) without traversal sanitization (nobasename()or check against a whitelist). - The content of the file is either returned in the response or included in an error message if parsing fails.
4. Nonce Acquisition Strategy
The REST API endpoints for this plugin are protected by standard WordPress REST API authentication. To make an authenticated POST request, the agent needs an X-WP-Nonce header.
- Identify Nonce Source: The plugin enqueues a global object
LP_ADDON_IMPORT_EXPORT_GLOBAL_OBJECT(seeEnqueueScriptsController.php, line 150), but this object does not contain a specific nonce. - Standard REST Nonce: Logged-in administrators can use the default WordPress REST nonce.
- Procedure:
- Log in as an Administrator.
- Navigate to any page in the WordPress admin dashboard (e.g.,
/wp-admin/admin.php?page=lp-migration-tool). - Use
browser_evalto extract the REST nonce from the WordPress core settings:browser_eval("window.wpApiSettings.nonce") - This nonce should be used in the
X-WP-Nonceheader for the exploit request.
5. Exploitation Strategy
The goal is to read wp-config.php.
- Step 1: Authenticate as an administrator and obtain the
X-WP-Nonce. - Step 2: Construct the payload for the
import-user-fileparameter using path traversal sequences:../../../../wp-config.php. - Step 3: Send a
POSTrequest to the LearnDash migration endpoint.
HTTP Request Details:
- Method:
POST - URL:
http://<target>/wp-json/learnpress-import-export/v1/migrate/learndash - Headers:
Content-Type: application/x-www-form-urlencodedX-WP-Nonce: <EXTRACTED_NONCE>
- Body:
item=student&paged=1&number=1&import-user-file=../../../../../../wp-config.php
Note: The item, paged, and number parameters are included to mimic legitimate migration requests seen in the Tutor/MasterStudy controllers.
6. Test Data Setup
- Install and activate the LearnPress plugin.
- Install and activate the LearnPress – Backup & Migration Tool (version 4.1.4).
- Create an administrator user.
- Ensure
wp-config.phpexists in the standard location. - (Optional) Ensure LearnDash is "active" if the plugin performs an activity check (see
Plugin::is_learndash_active()ininc/Migration/Helpers/Plugin.php), although the REST route registration might not be blocked.
7. Expected Results
- Successful Exploitation: The HTTP response (likely a 200 OK or a 500 Internal Server Error with details) will contain the raw PHP code of
wp-config.phpor a specific error message leakaing the content:"Failed to parse JSON: <?php ... define('DB_PASSWORD', '...'); ... ?>"
- Failure: A 403 Forbidden (missing permissions/nonce) or 404 Not Found (incorrect endpoint).
8. Verification Steps
- Examine Response: Check the response body for the string
DB_NAMEorDB_PASSWORD, which confirmswp-config.phpwas read. - WP-CLI Check: Verify the file content matches the actual
wp-config.phpon the server:wp config get DB_NAME - Confirm Path Traversal: Try reading
/etc/passwdto confirm traversal beyond the WordPress root.
9. Alternative Approaches
If the LearnDash migration endpoint requires specific items to be present:
- Try Other Controllers: Check if
MasterStudyMigrationControllerorTutorMigrationControlleralso accept file parameters in theirmigratemethods (though not visible in the provided snippets, developers often reuse vulnerable patterns). - Try Different Items: Change
item=studenttoitem=courseoritem=quizif the logic differs. - Protocol Wrapper: If the direct path is blocked, try
file:///var/www/html/wp-config.php.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.