Platform
wordpress
Component
simple-membership-wp-user-import
Fixed in
1.9.2
CVE-2026-24986 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Simple Membership WP user Import plugin for WordPress. This flaw allows an attacker to execute unauthorized actions on behalf of an authenticated user, potentially leading to data manipulation or account compromise. The vulnerability impacts versions from 0.0.0 up to and including 1.9.1, with a fix available in version 1.9.2.
A successful CSRF attack leverages a user's authenticated session to perform actions they did not explicitly authorize. In the context of Simple Membership WP user Import, an attacker could potentially modify user profiles, change membership settings, or perform other administrative tasks without the user's knowledge. The impact is amplified if the plugin is used in environments with sensitive user data or critical membership roles. While the CVSS score is medium, the ease of exploitation and potential for unauthorized modifications make this a significant concern, especially for sites with a large user base or high-value membership tiers.
CVE-2026-24986 was publicly disclosed on 2026-02-03. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively simple nature of CSRF vulnerabilities, it is prudent to assume that an exploit could be developed and deployed relatively quickly.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24986 is to immediately upgrade the Simple Membership WP user Import plugin to version 1.9.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by adding CSRF tokens to all sensitive forms and actions within the plugin. Web Application Firewalls (WAFs) configured with CSRF protection rules can also provide an additional layer of defense. Regularly review WordPress plugin security best practices and consider using a security plugin with CSRF protection capabilities.
Update to version 1.9.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24986 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Simple Membership WP user Import versions 0.0.0–1.9.1, allowing attackers to forge requests and potentially modify user data.
You are affected if you are using Simple Membership WP user Import version 0.0.0 through 1.9.1. Upgrade to 1.9.2 or later to resolve the issue.
Upgrade the Simple Membership WP user Import plugin to version 1.9.2 or later. Consider temporary workarounds like CSRF tokens if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be exploited.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.