The User Generator and Importer plugin for WordPress is vulnerable to a Cross‑Site Request Forgery flaw that allows an unauthenticated attacker to create a new user account with administrator privileges. The vulnerability stems from missing nonce validation in the "Import Using CSV File" function. If an attacker can entice a legitimate administrator to visit a crafted URL, that administrator will inadvertently create an account with full control, compromising confidentiality, integrity, and availability of the site. The weakness is classified as CWE‑352.

Vendors and Products: vinoth06—WordPress User Generator and Importer plugin. Affected versions are all releases up to and including 1.2.2. Sites that have installed any of these versions are directly impacted, regardless of active users or roles. Back‑ports or custom forks that still include the vulnerable import routine are similarly at risk.

The CVSS v3.1 score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploit in the wild. The vulnerability is not currently listed in CISA’s KEV catalog, further indicating limited active exploitation. Attackers would need to obtain a link that forces a logged‑in administrator to perform the import action; thus, while the attack vector involves a typical CSRF workflow, it requires social engineering of a site administrator. Existing vulnerable installations without mitigation could therefore be rapidly compromised if an active attacker targets them.