CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
What the vulnerability does
The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.
Explanation of Vulnerability in Simple Terms
The LearnPress – Backup & Migration Tool plugin for WordPress versions 4.1.0 and earlier lacks proper authorization checks on certain functions. An attacker without authentication can modify site data through network requests, though the attack requires specific conditions to succeed. This affects the integrity and availability of backups and migrations.
What an attacker can do
Modify or disrupt backup and migration data without logging in.
Potential impact on your site
Backups or migrations could be corrupted or disrupted by unauthenticated attackers.
Conditions required to exploit
Network access; attack requires specific timing or conditions (high complexity).
Key dates
External resources
Related vulnerabilities
