A Cross‑Site Request Forgery vulnerability exists in the AA‑Team WordPress Movies Bulk Importer plugin for WordPress versions up through 1.0. The flaw allows an attacker to send forged requests from a victim’s authenticated session, enabling the attacker to execute bulk import actions that the user is authorized to perform. This could lead to unauthorized data manipulation or creation within the plugin’s database, compromising the integrity of movie listings and potentially exposing sensitive configuration data if the bulk import writes additional metadata.

The vulnerability affects WordPress sites that have the AA‑Team WordPress Movies Bulk Importer plugin version 1.0 or earlier installed. Sites running later releases are not impacted. Administrators using the default role that grants access to the import feature are at risk if they leave the plugin enabled in a publicly reachable environment.

The CVSS score of 4.3 indicates a moderate risk. The EPSS value of less than 1% suggests a low probability of real‑world exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the attack vector requires an authenticated user to be logged in while a malicious webpage triggers the import action. If privileged users are frequently active, the potential impact increases, especially if the bulk import endpoint accepts arbitrary file uploads or tampered data. Regular monitoring of application logs for unexpected bulk import activity can provide early warning of abuse.