CVE-2025-12879
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: Wordfence

Description
The User Generator and Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce validation in the "Import Using CSV File" function. This makes it possible for unauthenticated attackers to elevate user privileges by creating arbitrary accounts with administrator privileges via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12879
EUVD
EUVD-2025-201400
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress user_generator_and_importer 1.2.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

To detect this vulnerability, you can monitor for unauthorized or suspicious user creation activity, especially accounts with administrator roles created via the User Generator and Importer plugin version 1.2.2. Since the vulnerability involves the 'Import Using CSV File' function without nonce validation, look for HTTP POST requests to the plugin's import endpoint that include CSV data or user creation parameters. You can use web server logs or network monitoring tools to identify such requests. For example, using grep on web server logs to find POST requests to the plugin's PHP file (e.g., user-generator.php) or CSV upload attempts. Example commands: 1. grep 'POST .*user-generator.php' /var/log/apache2/access.log 2. grep 'Import Using CSV File' /var/log/apache2/access.log 3. Use WordPress user enumeration commands or database queries to find recently created users with administrator roles, e.g., querying the wp_users and wp_usermeta tables for new admin accounts. Note that no specific detection commands are provided in the resources, but monitoring for unusual admin user creation and inspecting plugin-related HTTP requests is recommended. [1]

Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the User Generator and Importer plugin for WordPress (versions up to and including 1.2.2). It occurs because the plugin's "Import Using CSV File" function lacks nonce validation, allowing an attacker to trick a site administrator into performing an action, such as clicking a malicious link, which then lets the attacker create arbitrary user accounts with administrator privileges without authentication.

Impact Analysis

An attacker can exploit this vulnerability to create administrator accounts on your WordPress site without your knowledge. This privilege escalation can lead to full site compromise, including unauthorized access, data modification, and potential disruption of services.

Mitigation Strategies

To mitigate this vulnerability, immediately update the User Generator and Importer plugin for WordPress to a version later than 1.2.2 where the nonce validation issue is fixed. Additionally, avoid clicking on suspicious links and ensure site administrators are aware of the risk of forged requests. Implementing proper nonce validation and restricting user privilege changes to authenticated and authorized actions can help prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12879. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart