Scan free
MEDIUMCVE-2026-22359CVSS 4.3

CVE-2026-22359: CSRF in AA-Team Movies Bulk Importer

Platform

wordpress

Component

movies-importer

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-22359 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the AA-Team Wordpress Movies Bulk Importer plugin. This vulnerability allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of movie data. The vulnerability affects versions of the plugin up to and including 1.0. A fix is pending release from the vendor.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

A successful CSRF attack could allow an attacker to manipulate the Movies Bulk Importer plugin without the user's knowledge or consent. This could involve adding malicious movie entries, modifying existing movie details (e.g., changing ratings, descriptions, or links), or even deleting legitimate movie data. The impact is amplified if the plugin is used in a high-traffic website or if it integrates with other critical systems. While the direct impact is limited to the plugin's functionality, a compromised plugin could be a stepping stone for further attacks on the WordPress site itself, particularly if other vulnerabilities exist.

Exploitation Context

CVE-2026-22359 was publicly disclosed on 2026-01-22. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.01% (0% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentmovies-importer
Vendorwordfence
Affected rangeFixed in
n/a – <= 1.01.0.1

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 122 days since disclosure

Mitigation and Workarounds

As a fix is not yet available, immediate mitigation strategies are crucial. Implement strict input validation on all user-supplied data within the plugin to prevent malicious payloads. Consider using a Web Application Firewall (WAF) with CSRF protection rules to block suspicious requests. Additionally, enforce strong password policies and encourage users to enable two-factor authentication on their WordPress accounts. Regularly review and audit plugin configurations to identify any potential weaknesses. Once a patched version is released, upgrade immediately and verify the fix by attempting a CSRF attack using a known payload.

How to fix

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-22359 — CSRF in AA-Team Movies Bulk Importer?

CVE-2026-22359 is a Cross-Site Request Forgery vulnerability affecting the AA-Team Wordpress Movies Bulk Importer plugin, allowing attackers to perform unauthorized actions.

Am I affected by CVE-2026-22359 in AA-Team Movies Bulk Importer?

You are affected if you are using the AA-Team Wordpress Movies Bulk Importer plugin in versions up to and including 1.0.

How do I fix CVE-2026-22359 in AA-Team Movies Bulk Importer?

Upgrade to a patched version of the plugin when available. Until then, implement input validation and consider using a WAF with CSRF protection.

Is CVE-2026-22359 being actively exploited?

There are currently no known active exploits for CVE-2026-22359, but it's crucial to apply mitigations proactively.

Where can I find the official AA-Team advisory for CVE-2026-22359?

Check the AA-Team website and the WordPress plugin repository for updates and advisories related to CVE-2026-22359.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs