Platform
wordpress
Component
simple-membership-wp-user-import
Opgelost in
1.9.2
CVE-2026-24986 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Simple Membership WP user Import plugin for WordPress. This flaw allows an attacker to execute unauthorized actions on behalf of an authenticated user, potentially leading to data manipulation or account compromise. The vulnerability impacts versions from 0.0.0 up to and including 1.9.1, with a fix available in version 1.9.2.
A successful CSRF attack leverages a user's authenticated session to perform actions they did not explicitly authorize. In the context of Simple Membership WP user Import, an attacker could potentially modify user profiles, change membership settings, or perform other administrative tasks without the user's knowledge. The impact is amplified if the plugin is used in environments with sensitive user data or critical membership roles. While the CVSS score is medium, the ease of exploitation and potential for unauthorized modifications make this a significant concern, especially for sites with a large user base or high-value membership tiers.
CVE-2026-24986 was publicly disclosed on 2026-02-03. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively simple nature of CSRF vulnerabilities, it is prudent to assume that an exploit could be developed and deployed relatively quickly.
Websites utilizing the Simple Membership WP user Import plugin, particularly those with a significant number of users or those handling sensitive membership data, are at risk. Shared WordPress hosting environments where plugin updates are managed centrally are also at increased risk, as a compromised plugin on one site could potentially affect multiple sites.
• wordpress / composer / npm:
grep -r 'wp.insider Simple Membership WP user Import' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep 'Simple Membership WP user Import'• wordpress / composer / npm:
wp plugin update --all• generic web: Check for unusual user profile changes or membership modifications that were not initiated by legitimate users.
disclosure
Exploit Status
EPSS
0.02% (4% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-24986 is to immediately upgrade the Simple Membership WP user Import plugin to version 1.9.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by adding CSRF tokens to all sensitive forms and actions within the plugin. Web Application Firewalls (WAFs) configured with CSRF protection rules can also provide an additional layer of defense. Regularly review WordPress plugin security best practices and consider using a security plugin with CSRF protection capabilities.
Updateer naar versie 1.9.2, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-24986 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Simple Membership WP user Import versions 0.0.0–1.9.1, allowing attackers to forge requests and potentially modify user data.
You are affected if you are using Simple Membership WP user Import version 0.0.0 through 1.9.1. Upgrade to 1.9.2 or later to resolve the issue.
Upgrade the Simple Membership WP user Import plugin to version 1.9.2 or later. Consider temporary workarounds like CSRF tokens if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be exploited.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.