Overview
A high-severity Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-12879, has been discovered in the User Generator and Importer plugin for WordPress. This vulnerability affects versions up to and including 1.2.2. Exploitation allows unauthenticated attackers to potentially elevate user privileges by creating arbitrary administrator accounts, provided they can successfully trick a site administrator into clicking a malicious link or performing another action that triggers a forged request.
Technical Details
The vulnerability stems from a lack of proper nonce validation within the “Import Using CSV File” functionality of the User Generator and Importer plugin. Specifically, the user-generator.php file, around line 145 in version 1.2.2, does not adequately verify the authenticity of incoming requests related to CSV import. This allows an attacker to craft a malicious request that, when executed by a logged-in administrator, bypasses security checks and creates new user accounts with elevated (administrator) privileges. The lack of nonce verification makes the request susceptible to CSRF attacks.
CVSS Analysis
- Severity: HIGH
- CVSS Score: 8.8
A CVSS score of 8.8 indicates a high-severity vulnerability. The high score reflects the potential for significant impact, including complete compromise of the affected WordPress site, given the ability to create admin accounts.
Possible Impact
A successful exploitation of this CSRF vulnerability can have severe consequences:
- Complete Site Takeover: Attackers can create administrator accounts, granting them full control over the WordPress website.
- Data Breach: With administrator access, attackers can potentially access and exfiltrate sensitive data stored within the WordPress database.
- Malware Injection: Attackers can inject malicious code into the website, potentially infecting visitors and spreading malware.
- Defacement: Attackers can deface the website, damaging the reputation of the site owner.
- Spam and Phishing: Compromised sites can be used to send spam emails or host phishing pages.
Mitigation or Patch Steps
The recommended mitigation is to immediately update the User Generator and Importer plugin to the latest available version. Check the WordPress plugin repository for updates. If an update is not yet available, consider temporarily disabling the plugin until a patched version is released. In addition, implement strong CSRF protection practices throughout your WordPress environment to help mitigate the impact of similar vulnerabilities.
