PatchSiren cyber security CVE debrief
CVE-2026-7566 thimpress CVE debrief
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site.
- Vendor
- thimpress
- Product
- LearnPress – Backup & Migration Tool
- CVSS
- MEDIUM 6.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Administrators of WordPress sites using the LearnPress – Backup & Migration Tool plugin, especially those with administrator-level access and above.
Technical summary
The vulnerability is caused by the deserialization of untrusted input, allowing for PHP Object Injection. The CVSS score is 6.6 (Medium) with a vector of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
Medium
Recommended defensive actions
- Update to a patched version of the LearnPress – Backup & Migration Tool plugin (version 4.1.5 or later).
- Review and update other plugins and themes for potential POP chain vulnerabilities.
- Restrict administrator-level access and above to trusted users only.
Evidence notes
The vulnerability was reported by [email protected] and has a CVE score of 6.6 (Medium).
Official resources
CVE-2026-7566 was published on 2026-06-06T04:17:39.530Z and modified on 2026-06-08T14:57:14.757Z.