Attack Vectors

This Medium-severity vulnerability (CVE-2026-1787, CVSS 4.8) affects the LearnPress – Backup & Migration Tool WordPress plugin (slug: learnpress-import-export) in versions up to and including 4.1.0. The issue can be exploited remotely over the network by an unauthenticated attacker.

The practical attack scenario is specific: the attacker can target courses that were migrated from Tutor LMS. Exploitation requires that the Tutor LMS plugin is installed and activated on the site, because the vulnerable deletion behavior relates to migrated Tutor LMS course data.

Security Weakness

The core weakness is a missing capability (permission) check in the plugin’s delete_migrated_data function. In affected versions, this missing check means the site does not reliably confirm that the request is coming from a logged-in, authorized administrator (or other permitted role) before allowing deletion of migrated course data.

In business terms, this is an access control failure: a sensitive action (deleting course content) can be triggered without the normal “are you allowed to do this?” gate that organizations rely on to prevent anonymous internet traffic from making destructive changes.

Technical or Business Impacts

The primary impact is unauthorized loss of data—specifically, deletion of courses migrated from Tutor LMS. While the CVSS metrics indicate no confidentiality impact, the integrity and availability impacts are real: course content can be removed without authentication, potentially disrupting your learning experience and operations.

From a business-risk perspective, this can translate into interrupted revenue (paid enrollments, subscriptions, course launches), brand damage (learners encountering missing content), and operational overhead (restoring from backups, rebuilding courses, handling customer support and refunds). For compliance and governance teams, the incident may also raise concerns around change control and content integrity if training materials are altered or removed outside authorized processes.

Remediation: Update LearnPress – Backup & Migration Tool to version 4.1.1 or newer, which contains the vendor’s patch. Track the record here: CVE-2026-1787. Reference source: Wordfence Threat Intel.

Similar Attacks

Unauthenticated, internet-reachable vulnerabilities are frequently targeted because they remove the need for stolen credentials. While the technical details differ, the business lesson is the same: a single exposed weakness can enable disruptive changes or compromise at scale.

Examples of widely exploited, unauthenticated vulnerabilities include:

CVE-2018-7600 (Drupalgeddon 2) — a remote attack path that was broadly exploited against public-facing sites.
CVE-2023-34362 (MOVEit Transfer) — mass exploitation of an internet-exposed application, resulting in significant organizational disruption and data impact across many sectors.