Platform
wordpress
Component
movies-importer
Fixed in
1.0.1
CVE-2026-22359 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the AA-Team Wordpress Movies Bulk Importer plugin. This vulnerability allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of movie data. The vulnerability affects versions of the plugin up to and including 1.0. A fix is pending release from the vendor.
A successful CSRF attack could allow an attacker to manipulate the Movies Bulk Importer plugin without the user's knowledge or consent. This could involve adding malicious movie entries, modifying existing movie details (e.g., changing ratings, descriptions, or links), or even deleting legitimate movie data. The impact is amplified if the plugin is used in a high-traffic website or if it integrates with other critical systems. While the direct impact is limited to the plugin's functionality, a compromised plugin could be a stepping stone for further attacks on the WordPress site itself, particularly if other vulnerabilities exist.
CVE-2026-22359 was publicly disclosed on 2026-01-22. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
As a fix is not yet available, immediate mitigation strategies are crucial. Implement strict input validation on all user-supplied data within the plugin to prevent malicious payloads. Consider using a Web Application Firewall (WAF) with CSRF protection rules to block suspicious requests. Additionally, enforce strong password policies and encourage users to enable two-factor authentication on their WordPress accounts. Regularly review and audit plugin configurations to identify any potential weaknesses. Once a patched version is released, upgrade immediately and verify the fix by attempting a CSRF attack using a known payload.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22359 is a Cross-Site Request Forgery vulnerability affecting the AA-Team Wordpress Movies Bulk Importer plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using the AA-Team Wordpress Movies Bulk Importer plugin in versions up to and including 1.0.
Upgrade to a patched version of the plugin when available. Until then, implement input validation and consider using a WAF with CSRF protection.
There are currently no known active exploits for CVE-2026-22359, but it's crucial to apply mitigations proactively.
Check the AA-Team website and the WordPress plugin repository for updates and advisories related to CVE-2026-22359.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.