CVE-2026-1787 is a vulnerability classified under CWE-862 (Missing Authorization) found in the LearnPress Export Import extension for WordPress, specifically in the Backup & Migration Tool developed by thimpress. The vulnerability exists because the 'delete_migrated_data' function lacks proper capability checks, meaning it does not verify whether the requestor has the necessary permissions to delete migrated course data. This flaw affects all versions up to and including 4.1.0. The exploit scenario requires that the Tutor LMS plugin is installed and activated, as the vulnerability targets courses migrated from Tutor LMS. An unauthenticated attacker can send crafted requests to delete these migrated courses without any user interaction or authentication. The CVSS v3.1 score is 4.8 (medium severity), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact. Although no public exploits are known, the vulnerability could lead to unauthorized deletion of course data, impacting the integrity and availability of educational content hosted on affected WordPress sites. The absence of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate attention from site administrators.

The primary impact of CVE-2026-1787 is unauthorized deletion of migrated course data from Tutor LMS within WordPress sites using the vulnerable LearnPress Export Import extension. This can lead to loss of critical educational content, disrupting e-learning services and causing operational downtime for educational institutions and businesses relying on these platforms. The integrity of course data is compromised, and availability is reduced due to potential data loss. Although confidentiality is not impacted, the deletion of course content can result in significant reputational damage and loss of trust from users and students. The requirement for Tutor LMS to be installed limits the scope but still affects a substantial subset of LearnPress users. The medium CVSS score reflects the moderate risk, but the ease of exploitation without authentication and user interaction increases the urgency for mitigation. Organizations with large-scale e-learning deployments are particularly vulnerable to disruption and potential financial losses due to recovery efforts.

1. Immediate mitigation involves disabling or uninstalling the LearnPress Export Import extension until a security patch is released. 2. Monitor WordPress plugin updates from thimpress and apply patches promptly once available. 3. Restrict access to the WordPress REST API and admin endpoints using web application firewalls (WAFs) or IP whitelisting to reduce exposure to unauthenticated requests. 4. Implement strict capability checks and role-based access controls within WordPress to limit who can perform migration-related actions. 5. Regularly back up all course data and site content to enable recovery in case of data deletion. 6. Conduct security audits and penetration testing focusing on plugin vulnerabilities and authorization checks. 7. Educate site administrators about the risks of installing multiple LMS plugins and the importance of maintaining updated software. 8. Consider isolating LMS environments or using containerization to limit the blast radius of potential exploits. These steps go beyond generic advice by focusing on access control hardening, proactive monitoring, and operational preparedness specific to WordPress LMS plugins.