PT-2025-49235 · WordPress · User Generator/Importer
Ivan Cese
·
Published
2025-12-05
·
Updated
2025-12-10
·
CVE-2025-12879
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
User Generator and Importer plugin for WordPress versions up to and including 1.2.2
Description
The plugin is susceptible to Cross-Site Request Forgery due to missing nonce validation in the "Import Using CSV File" function. This allows unauthenticated attackers to potentially create arbitrary accounts with administrator privileges by forging a request, if they can trick a site administrator into performing an action. The
Import Using CSV File function lacks proper validation, enabling this issue.Recommendations
Update the User Generator and Importer plugin to a version newer than 1.2.2.
Fix
LPE
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
User Generator/Importer