[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftuC5Iv157JIlMY1JmtL-MQb2QCz6PNgmWUF547LkuuU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-7565","learnpress-authenticated-administrator-path-traversal-to-arbitrary-file-read-via-import-user-file-parameter","LearnPress \u003C= 4.1.4 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'import-user-file' Parameter","The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the 'import-user-file' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.","learnpress-import-export",null,"\u003C=4.1.4","4.1.5","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-06-05 14:19:01","2026-06-06 02:28:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0f6d0ba7-f9e8-493b-9e6d-62f1c662e21e?source=api-prod",1,[22,23,24,25,26,27,28,29],"config\u002Fmigration-plugin.php","inc\u002FLearnDashMigration\u002FLearnDashDataDump.php","inc\u002FLearnDashMigration\u002FLearnDashStudentDataMigration.php","inc\u002FMigration\u002FControllers\u002FEnqueueScriptsController.php","inc\u002FMigration\u002FControllers\u002FMasterStudyMigrationController.php","inc\u002FMigration\u002FControllers\u002FTutorMigrationController.php","inc\u002FMigration\u002FHelpers\u002FMasterStudy.php","inc\u002FMigration\u002FHelpers\u002FPlugin.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-7565\n\n## 1. Vulnerability Summary\nThe **LearnPress – Backup & Migration Tool** plugin (versions \u003C= 4.1.4) contains an authenticated path traversal vulnerability in its LearnDash migration component. The vulnerability exists because the plugin fails to sanitize or validate the file path provided in the `import-user-file` parameter during migration operations. An authenticated user with Administrator privileges can exploit this to read arbitrary files from the server, including sensitive configuration files like `wp-config.php`.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API endpoint for LearnDash migration. Based on the patterns in `MasterStudyMigrationController.php` and `TutorMigrationController.php`, the endpoint is:\n    `POST \u002Fwp-json\u002Flearnpress-import-export\u002Fv1\u002Fmigrate\u002Flearndash`\n*   **Vulnerable Parameter:** `import-user-file`\n*   **Authentication Required:** Administrator-level access (`current_user_can( 'administrator' )`).\n*   **Preconditions:** The plugin must be active. The LearnDash migration \"Option B\" (import from file) must be reachable, though the REST endpoint is likely accessible directly.\n\n## 3. Code Flow\nWhile the exact `LearnDashMigrationController` source was not provided, we can trace the flow based on `LearnDashStudentDataMigration.php` and the provided MasterStudy\u002FTutor controllers:\n1.  The controller (e.g., `LPImportExport\\Migration\\Controllers\\LearnDashMigrationController`) registers a REST route under the namespace generated by `RestApi::generate_namespace()` (likely `learnpress-import-export\u002Fv1`).\n2.  The `migrate` callback is triggered via a `POST` request to `\u002Fmigrate\u002Flearndash`.\n3.  The callback retrieves the `import-user-file` parameter from the request: `$file_path = $request->get_param( 'import-user-file' );`.\n4.  The code logic for \"Option B\" migration (implied by comments in `LearnDashStudentDataMigration.php`) attempts to load this file to process LearnDash JSON data.\n5.  **Vulnerable Sink:** The file path is passed to a file system function (e.g., `file_get_contents()` or `wp_remote_get()` with a `file:\u002F\u002F` wrapper) without traversal sanitization (no `basename()` or check against a whitelist).\n6.  The content of the file is either returned in the response or included in an error message if parsing fails.\n\n## 4. Nonce Acquisition Strategy\nThe REST API endpoints for this plugin are protected by standard WordPress REST API authentication. To make an authenticated `POST` request, the agent needs an `X-WP-Nonce` header.\n\n1.  **Identify Nonce Source:** The plugin enqueues a global object `LP_ADDON_IMPORT_EXPORT_GLOBAL_OBJECT` (see `EnqueueScriptsController.php`, line 150), but this object does not contain a specific nonce.\n2.  **Standard REST Nonce:** Logged-in administrators can use the default WordPress REST nonce.\n3.  **Procedure:**\n    *   Log in as an Administrator.\n    *   Navigate to any page in the WordPress admin dashboard (e.g., `\u002Fwp-admin\u002Fadmin.php?page=lp-migration-tool`).\n    *   Use `browser_eval` to extract the REST nonce from the WordPress core settings:\n        `browser_eval(\"window.wpApiSettings.nonce\")`\n    *   This nonce should be used in the `X-WP-Nonce` header for the exploit request.\n\n## 5. Exploitation Strategy\nThe goal is to read `wp-config.php`.\n\n*   **Step 1:** Authenticate as an administrator and obtain the `X-WP-Nonce`.\n*   **Step 2:** Construct the payload for the `import-user-file` parameter using path traversal sequences: `..\u002F..\u002F..\u002F..\u002Fwp-config.php`.\n*   **Step 3:** Send a `POST` request to the LearnDash migration endpoint.\n\n**HTTP Request Details:**\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Flearnpress-import-export\u002Fv1\u002Fmigrate\u002Flearndash`\n*   **Headers:**\n    *   `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   `X-WP-Nonce: \u003CEXTRACTED_NONCE>`\n*   **Body:**\n    `item=student&paged=1&number=1&import-user-file=..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fwp-config.php`\n\n*Note: The `item`, `paged`, and `number` parameters are included to mimic legitimate migration requests seen in the Tutor\u002FMasterStudy controllers.*\n\n## 6. Test Data Setup\n1.  Install and activate the **LearnPress** plugin.\n2.  Install and activate the **LearnPress – Backup & Migration Tool** (version 4.1.4).\n3.  Create an administrator user.\n4.  Ensure `wp-config.php` exists in the standard location.\n5.  (Optional) Ensure LearnDash is \"active\" if the plugin performs an activity check (see `Plugin::is_learndash_active()` in `inc\u002FMigration\u002FHelpers\u002FPlugin.php`), although the REST route registration might not be blocked.\n\n## 7. Expected Results\n*   **Successful Exploitation:** The HTTP response (likely a 200 OK or a 500 Internal Server Error with details) will contain the raw PHP code of `wp-config.php` or a specific error message leakaing the content:\n    *   `\"Failed to parse JSON: \u003C?php ... define('DB_PASSWORD', '...'); ... ?>\"`\n*   **Failure:** A 403 Forbidden (missing permissions\u002Fnonce) or 404 Not Found (incorrect endpoint).\n\n## 8. Verification Steps\n1.  **Examine Response:** Check the response body for the string `DB_NAME` or `DB_PASSWORD`, which confirms `wp-config.php` was read.\n2.  **WP-CLI Check:** Verify the file content matches the actual `wp-config.php` on the server:\n    `wp config get DB_NAME`\n3.  **Confirm Path Traversal:** Try reading `\u002Fetc\u002Fpasswd` to confirm traversal beyond the WordPress root.\n\n## 9. Alternative Approaches\nIf the LearnDash migration endpoint requires specific items to be present:\n*   **Try Other Controllers:** Check if `MasterStudyMigrationController` or `TutorMigrationController` also accept file parameters in their `migrate` methods (though not visible in the provided snippets, developers often reuse vulnerable patterns).\n*   **Try Different Items:** Change `item=student` to `item=course` or `item=quiz` if the logic differs.\n*   **Protocol Wrapper:** If the direct path is blocked, try `file:\u002F\u002F\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-config.php`.","gemini-3-flash-preview","2026-06-26 03:16:39","2026-06-26 03:17:48",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.1.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearnpress-import-export\u002Ftags\u002F4.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flearnpress-import-export.4.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearnpress-import-export\u002Ftags\u002F4.1.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flearnpress-import-export.4.1.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearnpress-import-export\u002Ftags"]