LearnPress Export Import < 4.1.1 – Missing Authentication to Unauthenticated Migrated Course Deletion | CVE 2026-1787 | Plugin Vulnerabilities

Description

The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.

Affects Plugins

learnpress-import-export

Fixed in 4.1.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7bde915d-092a-452b-a0e0-ce5c2ce203dc

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Osvaldo Noe Gonzalez Del Rio (Os)

Verified

No

WPVDB ID

c9714df2-e3bb-4962-bb6e-137d16cf57e6

Timeline

Publicly Published

2026-02-11 (about 3 months ago)

Added

2026-02-20 (about 2 months ago)

Last Updated

2026-02-21 (about 2 months ago)

Other

Published

Title

Published

2026-01-07

Title

Tutor LMS < 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details

Published

2026-01-16

Title

RepairBuddy < 4.1121 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders

Published

2024-02-27

Title

Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan < 4.52 - Missing Authorization to Unauthenticated IP Address Whitelist

Published

2024-08-27

Title

Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free < 3.7.4.1 - Missing Authorization to Unauthenticated Arbitrary Media Upload

Published

2026-03-27

Title

CartFlows < 2.2.4 - Missing Authorization