Atomic Edge analysis of CVE-2026-1787:
This vulnerability is an unauthenticated data deletion flaw in the LearnPress Export Import plugin for WordPress. The vulnerability allows attackers to delete migrated courses without authentication when the Tutor LMS plugin is active. The CVSS score of 4.8 reflects a moderate impact data integrity issue.

The root cause is a missing capability check in the ‘delete_migrated_data’ function. The vulnerable code registers an AJAX handler via ‘wp_ajax_delete_migrated_data’ in the TutorMigration class without verifying user permissions. The function ‘delete_migrated_data’ in the TutorMigration class processes deletion requests without validating if the user has administrative privileges. The AJAX endpoint at /wp-admin/admin-ajax.php accepts ‘action=delete_migrated_data’ parameter from any user.

Exploitation requires the Tutor LMS plugin to be installed and activated. Attackers send a POST request to /wp-admin/admin-ajax.php with the parameter ‘action=delete_migrated_data’. The request triggers the TutorMigration::delete_migrated_data() function, which executes SQL DELETE operations on the wp_learnpress_user_items table. No authentication or nonce verification occurs before the deletion operation.

The patch adds a capability check to the AJAX handler registration. The fix changes the hook registration from ‘wp_ajax_delete_migrated_data’ to ‘wp_ajax_nopriv_delete_migrated_data’ for unauthenticated users, preventing unauthorized access. The corrected code now requires users to have the ‘administrator’ capability before processing deletion requests. This ensures only authorized administrators can delete migrated course data.

Successful exploitation results in permanent deletion of migrated course data from the wp_learnpress_user_items database table. Attackers can remove user progress records, completion status, and enrollment data for courses migrated from Tutor LMS. The vulnerability affects data integrity but does not enable privilege escalation or remote code execution.