CVE-2026-24986

Root

Cause The Simple Membership WP user Import plugin for WordPress versions up to and including 1.9.1 contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw stems from missing or insufficient CSRF token validation in the plugin's administrative functions, allowing malicious actors to craft requests that, when triggered by a logged-in administrator, execute unauthorized operations [1].

Exploitation

Exploitation requires user interaction—a privileged user must click a malicious link, visit a crafted page, or submit a deceptive form while authenticated to the WordPress admin [1]. The attack does not require prior special privileges beyond the victim's existing session, but the victim must have sufficient permissions for the forged action to succeed [1].

Impact

Successful exploitation enables an attacker to force higher-privileged users (e.g., administrators) to perform unintended actions, such as modifying settings or importing users, under the victim's current authentication [1]. The CVSS v3 base score of 5.4 reflects medium severity due to the requirement for user interaction and the potential for unauthorized state changes [1].

Mitigation

The vendor has released version 1.9.2, which patches this vulnerability by adding proper CSRF protections [1]. Users are strongly advised to update to at least 1.9.2 immediately, either manually or via automated updates if using Patchstack [1]. Those unable to update should contact their hosting provider or web developer for assistance [1].