CVE-2026-7565 | The LearnPress – Backup & Migration Tool plugin for WordPres… | CVSS 4.9 MEDIUM

Description

The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the 'import-user-file' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Metadata

CVE ID: CVE-2026-7565
State: PUBLISHED
Assigner: Wordfence
Reserved: 2026-04-30 20:25 UTC
Published: 2026-06-06 02:28 UTC
Last updated: 2026-06-06 11:43 UTC
Primary CWE: CWE-22
CWE-22 Improper Limitation of a Pathname to a Restricted Dir…
Vendor / Product: thimpress / LearnPress – Backup & Migration Tool
Sources: cve.org · NVD

Severity & Metrics

4.9 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
thimpress	LearnPress – Backup & Migration Tool	—	0 ≤ 4.1.4

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.9	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References (8)