Platform
wordpress
Component
user-importer-and-generator
Fixed in
1.2.3
A Cross-Site Request Forgery (CSRF) vulnerability exists in the User Generator and Importer plugin for WordPress, affecting versions from 1.0.0 through 1.2.2. This flaw allows unauthenticated attackers to escalate user privileges by creating arbitrary accounts with administrator roles. The vulnerability stems from a lack of nonce validation within the "Import Using CSV File" function, enabling forged requests to bypass security controls. The vulnerability was publicly disclosed on December 5, 2025.
The primary impact of CVE-2025-12879 is the potential for unauthorized privilege escalation. An attacker can craft a malicious link or form that, when clicked by a site administrator, will automatically create a new user account with administrator privileges. This effectively grants the attacker complete control over the WordPress site, allowing them to modify content, install malicious plugins, steal sensitive data, or even completely compromise the system. The attack requires the administrator to interact with the malicious request, typically by clicking a link or submitting a form. Successful exploitation could lead to a complete takeover of the WordPress installation, similar to scenarios where attackers gain admin access to deface websites or deploy malware.
This vulnerability is currently considered to have a medium exploitation probability. It was publicly disclosed on December 5, 2025. While no public proof-of-concept (PoC) code has been observed at the time of this writing, the ease of crafting a CSRF attack makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-12879 is to upgrade the User Generator and Importer plugin to a version that addresses the vulnerability. Unfortunately, a fixed version is not specified in the provided data. As a temporary workaround, implement strict Content Security Policy (CSP) headers to restrict the origin of scripts that can be executed on the site. Additionally, carefully review any CSV import requests and consider implementing a manual approval process for new user accounts. Monitor WordPress logs for suspicious activity, particularly related to user creation and privilege changes. Consider using a WordPress security plugin that provides CSRF protection.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12879 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress User Generator and Importer plugin, allowing attackers to create administrator accounts without authentication.
You are affected if you are using the User Generator and Importer plugin in versions 1.0.0–1.2.2. Upgrade to a patched version as soon as it becomes available.
Upgrade the User Generator and Importer plugin to a version that addresses the vulnerability. Until a patch is available, implement CSP headers and monitor user creation activity.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to be targeted. Monitor your systems closely.
Refer to the WordPress plugin repository and security announcements for updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.