Volerion logoVolerion
Volerion logoVolerion

LearnPress Export Import WordPress Plugin Missing Authentication Vulnerability Allowing Unauthenticated Data Deletion

Vulnerability

A vulnerability exists in the LearnPress Export Import WordPress extension, specifically in versions through 4.1.0. The issue arises from a lack of proper capability checks in the 'delete_migrated_data' function, allowing unauthenticated attackers to delete courses that were migrated from Tutor LMS. To exploit this vulnerability, the Tutor LMS plugin must be installed and activated.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of Tutor LMS courses that have been migrated to LearnPress.

Reproduction

The vulnerability can be reproduced by sending a DELETE request to the '/delete-migrated-data/tutor' endpoint of the WordPress REST API. This request can be made without authentication, which triggers the deletion of migrated Tutor LMS courses on the site.

Remediation

Users are advised to update the LearnPress Export Import plugin to version 4.1.1 or later.

Added: Feb 21, 2026, 11:30 AM
Updated: Feb 21, 2026, 11:30 AM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
0.6
exploitability
8.9
remediation
7.7
relevance
3.2
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.