CVE-2026-1787 — Missing Authorization in Learnpress Backup Migration Tool

CWE-862 — Missing Authorization4 documents4 sources

Severity

4.8MEDIUMNVD

EPSS

0.1%

top 76.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Thimpress Learnpress Backup Migration Tool

Timeline

PublishedFeb 21

Description

The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 2.2 | Impact: 2.5

Affected Packages1 packages

▶CVEListV5thimpress/learnpress_backup_migration_tool4.1.0

🔴Vulnerability Details

CVEList

LearnPress Export Import <= 4.1.0 - Missing Authentication to Unauthenticated Migrated Course Deletion↗2026-02-21

▶

GHSA

GHSA-vjr6-wpqm-j5fj: The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing cap↗2026-02-21

▶

🕵️Threat Intelligence

Wiz

CVE-2026-1787 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶