CVE-2025-9374

The Ultimate Tag Warrior Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 0.2. The vulnerability stems from missing or incorrect nonce validation on a function responsible for importing tags. This flaw allows an attacker to forge requests on behalf of an authenticated administrator without their consent [1].

To exploit this vulnerability, an unauthenticated attacker must trick a site administrator into performing an action such as clicking on a malicious link. The attacker does not need any prior authentication or special network access; the attack relies on social engineering to induce the administrator-level users. The CSRF attack can be executed remotely, and no special user interaction is required [1].

The impact of a successful CSRF attack, an attacker can force the administrator to import arbitrary tags into the WordPress site. While the impact is limited to tag import functionality, it could be used to inject unwanted or malicious content into the site's taxonomy, potentially affecting site organization or enabling further attacks. The CVSS v3 base score is 4.3 (Medium), reflecting the need for user interaction and the limited scope of the action [1].

The plugin has been closed as of August 27, 2025, and is not available for download due to this security issue. Users who have the plugin installed should remove it immediately, as no patched version is available. There is no known workaround other than complete removal of the plugin [1].