CVE-2025-12879 Overview
The User Generator and Importer plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.2.2. The flaw stems from missing nonce validation in the Import Using CSV File function. Unauthenticated attackers can forge a request that, when triggered by an authenticated administrator, creates arbitrary user accounts with administrator privileges. Successful exploitation grants full site takeover through privilege escalation. The weakness is classified as [CWE-352].
Critical Impact
Attackers who trick a site administrator into clicking a crafted link can create rogue administrator accounts and seize control of the WordPress site.
Affected Products
- WordPress User Generator and Importer plugin versions ≤ 1.2.2
- WordPress sites with the plugin installed and activated
- Administrators authenticated to vulnerable WordPress installations
Discovery Timeline
- 2025-12-05 - CVE-2025-12879 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-12879
Vulnerability Analysis
The vulnerability resides in the CSV import handler of the User Generator and Importer plugin. The Import Using CSV File function processes user-supplied CSV data and creates WordPress accounts based on row contents, including assigned roles. The handler executes account creation logic without verifying a WordPress nonce token tied to the administrator's session.
Without nonce validation, the plugin cannot distinguish between an intentional administrator-initiated import and a forged cross-origin request. An attacker hosts a malicious page containing an auto-submitting form that posts a crafted CSV payload to the vulnerable endpoint. When a logged-in administrator visits the page, the browser submits the request with valid session cookies, and the plugin executes the import as if the administrator initiated it.
Root Cause
The root cause is the absence of wp_verify_nonce() or equivalent CSRF token checks in the import action. Reference: WordPress User Generator Code. WordPress provides nonce primitives specifically to prevent this class of state-changing request forgery, but the affected handler does not invoke them before processing the uploaded file.
Attack Vector
Exploitation requires user interaction from a privileged WordPress administrator. The attacker delivers a link or embeds the forged form on an attacker-controlled page, then lures the administrator through phishing or social engineering. Once the request executes, the CSV payload provisions a new account with the administrator role, granting persistent access. The attack works over the network and requires no prior authentication from the attacker.
For exploitation specifics, see the Wordfence Vulnerability Intel advisory.
Detection Methods for CVE-2025-12879
Indicators of Compromise
- Unexpected WordPress user accounts with the administrator role created without a corresponding admin action.
- Recent POST requests to the plugin's CSV import endpoint originating from external Referer headers.
- New users created with email domains or usernames not associated with the organization.
Detection Strategies
- Audit the wp_users and wp_usermeta tables for accounts created on or after the plugin's installation date and correlate with administrator login activity.
- Inspect web server access logs for cross-origin POST requests to user-generator.php or related plugin endpoints lacking expected nonce parameters.
- Monitor WordPress activity logs for bulk account creation events tied to a single administrator session.
Monitoring Recommendations
- Enable a WordPress audit logging plugin to capture all user-creation events with source IP and referer.
- Alert on creation of any account assigned the administrator role outside of a documented onboarding workflow.
- Review browser security headers and Content Security Policy on the wp-admin interface to limit cross-origin form submissions.
How to Mitigate CVE-2025-12879
Immediate Actions Required
- Deactivate and remove the User Generator and Importer plugin until a patched release is available.
- Review all administrator-level accounts and remove any that cannot be attributed to a legitimate user.
- Force password resets for remaining administrators and rotate WordPress authentication keys and salts in wp-config.php.
Patch Information
No vendor patch is referenced in the available CVE data. Monitor the WordPress plugin repository and the Wordfence advisory for an updated release beyond version 1.2.2 that adds nonce validation to the CSV import handler.
Workarounds
- Restrict access to /wp-admin/ by IP allowlist at the web server or WAF layer to reduce the surface for CSRF lures.
- Deploy a WordPress firewall rule that blocks POST requests to the plugin's import endpoint when the Referer header is absent or external.
- Train administrators to log out of WordPress before browsing untrusted links and to use a dedicated browser profile for site administration.
# Example nginx rule blocking cross-origin POSTs to the vulnerable endpoint
location ~* /wp-content/plugins/user-importer-and-generator/.*\.php$ {
if ($request_method = POST) {
if ($http_referer !~* "^https?://your-site\.example/") {
return 403;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
