CVE-2026-24986
CSRF Vulnerability in Simple Membership WP User Import Plugin
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| simple_membership_wp_user_import | simple_membership_wp_user_import | to 1.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24986 is a Cross Site Request Forgery (CSRF) vulnerability found in the WordPress Simple Membership WP user Import Plugin versions up to and including 1.9.1.
This vulnerability allows an attacker to trick users with higher privileges into performing unwanted actions while they are authenticated. This can happen if the privileged user clicks a malicious link, visits a crafted webpage, or submits a malicious form.
Exploitation requires user interaction and the involvement of a privileged user.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to perform unauthorized actions on behalf of a privileged user within the Simple Membership WP user Import plugin.
However, the impact is considered low severity with a CVSS score of 5.4, and exploitation is unlikely due to the need for user interaction and privileged user involvement.
Users are advised to update to version 1.9.2 or later to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is a Cross Site Request Forgery (CSRF) issue affecting the Simple Membership WP user Import plugin versions up to 1.9.1. Detection typically involves verifying the plugin version installed on your WordPress site.'}, {'type': 'paragraph', 'content': 'You can check the installed plugin version using WordPress CLI commands or by inspecting the plugin files.'}, {'type': 'list_item', 'content': 'Use WP-CLI to list installed plugins and their versions: wp plugin list'}, {'type': 'list_item', 'content': "Check the plugin version directly in the plugin's main PHP file or readme file located in wp-content/plugins/simple-membership-wp-user-import/"}, {'type': 'paragraph', 'content': 'Since this is a CSRF vulnerability, network detection is difficult because it requires user interaction and privileged user context. Monitoring for suspicious HTTP requests that trigger plugin actions without proper CSRF tokens might help, but no specific commands are provided in the resources.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Simple Membership WP user Import plugin to version 1.9.2 or later, where the vulnerability is fixed.
Additionally, enabling auto-updates for this plugin can help ensure that future vulnerabilities are patched promptly.
Since the vulnerability requires user interaction and privileged user involvement, educating users to avoid clicking suspicious links or visiting untrusted pages can reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-24986 vulnerability is a Cross Site Request Forgery (CSRF) issue that allows attackers to trick privileged users into executing unwanted actions. While the vulnerability is classified under OWASP Top 10 A1: Broken Access Control and has a low severity score, it could potentially lead to unauthorized actions within the affected system.
However, there is no specific information provided about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.