CVE-2026-1787 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the LearnPress Export Import extension for WordPress, specifically the Backup & Migration Tool developed by thimpress. The vulnerability exists because the 'delete_migrated_data' function lacks a proper capability check, which means it does not verify whether the user invoking this function has the necessary permissions to delete migrated course data. This flaw is exploitable by unauthenticated attackers remotely, provided that the Tutor LMS plugin is installed and activated on the WordPress site. The vulnerability affects all versions up to and including 4.1.0 of the LearnPress Export Import extension. Successful exploitation allows attackers to delete courses that have been migrated from Tutor LMS, resulting in unauthorized loss of data. The CVSS v3.1 base score is 4.8, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and low availability impact (A:L). No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights a critical authorization oversight in the plugin's design, which could be leveraged to disrupt e-learning content integrity and availability.

The primary impact of this vulnerability is unauthorized deletion of migrated course data from Tutor LMS within WordPress sites using the vulnerable LearnPress Export Import extension. This can lead to loss of critical educational content, disruption of e-learning services, and potential reputational damage for organizations relying on these platforms. Since the attacker does not require authentication or user interaction, the risk of automated or widespread exploitation exists, especially on publicly accessible WordPress sites. Although the integrity and availability impacts are rated low to medium, the loss of course data can significantly affect educational institutions, training providers, and businesses that depend on these courses for revenue or compliance training. The absence of confidentiality impact means sensitive data leakage is not a concern here, but the deletion of data can cause operational downtime and recovery costs. Organizations worldwide using these plugins are at risk, particularly those with limited backup strategies or insufficient monitoring of plugin activities.

To mitigate this vulnerability, organizations should first verify if they are using the LearnPress Export Import extension version 4.1.0 or earlier alongside the Tutor LMS plugin. Immediate steps include disabling the vulnerable plugin or restricting access to the affected functionality via web application firewalls or access control rules until a patch is available. Administrators should implement strict file and database backup procedures to ensure rapid recovery of deleted course data. Monitoring and logging of plugin-related actions should be enhanced to detect suspicious deletion attempts. If possible, apply custom code patches or capability checks to enforce authorization on the 'delete_migrated_data' function. Regularly update all WordPress plugins and themes to their latest versions once the vendor releases a security update addressing this issue. Additionally, consider isolating or sandboxing critical e-learning environments to minimize exposure. Educate site administrators about the risk and encourage prompt incident response if unauthorized deletions are detected.