CVE-2026-7566
LearnPress – Backup & Migration Tool <= 4.1.4 - Authenticated (Administrator+) PHP Object Injection via WXR XML File UploadThe LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
We have discovered 178 live websites that are affected by CVE-2026-7566.
Affected Software
| Product |  Learnpress Import Export |
| Category | Wordpress Plugins |
| Vulnerable Domains | 178 live websites (100% of Learnpress Import Export install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 3 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-502 Deserialization of Untrusted DataDetails
- Published - Jun 6, 2026
- Updated - Jun 6, 2026
Credits
- Wannes Verwimp (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-7566 United States | 49 websites |
 India | 14 websites |
 Germany | 13 websites |
 France | 11 websites |
 Cyprus | 10 websites |
 GB | 7 websites |
 Italy | 5 websites |
 Australia | 5 websites |
 Romania | 4 websites |
 South Africa | 3 websites |
Website Distribution by TLD
Number of websites using CVE-2026-7566| .com | 77 websites |
| .org | 19 websites |
| .co.uk | 4 websites |
| .de | 4 websites |
| .net | 3 websites |
| .nl | 3 websites |
| .it | 3 websites |
| .co | 3 websites |
| .se | 3 websites |
| .com.au | 2 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-7566
Top websites that are affected by CVE-2026-7566. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.***.uk | GB | **,*** | |
| *******.org | United States | ***,*** | |
| **.**.ke |  Kenya | ***,*** | |
| ***.****.org | United States | ***,*** | |
| *****************.ee |  Estonia | ***,*** | |
| *****.***.ua |  Ukraine | ***,*** | |
| **********.co | United States | *,***,*** | |
| *****.se |  Sweden | *,***,*** | |
| *****.***.**.ug |  Uganda | *,***,*** | |
| ********************.com | United States | *,***,*** |
FAQ
CVE-2026-7566 is Deserialization of Untrusted Data in Learnpress Import Export
A total of 178 websites have been identified as vulnerable to CVE-2026-7566, based on global website indexing conducted by WebTechSurvey.
The Learnpress Import Export is affected by the CVE-2026-7566 vulnerability.
Learnpress Import Export versions up to and including 4.1.4 are vulnerable to CVE-2026-7566.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2f796373-7116-4fd3-9d53-5f520e6e1a0c?source=cve
- https://plugins.trac.wordpress.org/browser/learnpress-import-export/trunk/inc/admin/providers/learnpress/class-lp-import-learnpress.php#L581
- https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.4/inc/admin/providers/learnpress/class-lp-import-learnpress.php#L581
- https://plugins.trac.wordpress.org/browser/learnpress-import-export/trunk/inc/parsers.php#L871
- https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.4/inc/parsers.php#L871
- https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.1/inc/admin/providers/learnpress/class-lp-import-learnpress.php#L581
- https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.1/inc/parsers.php#L871
- https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.5/inc/functions.php#L384