The vulnerability is a cross‑site request forgery flaw within the Simple Membership WP user Import plugin, allowing an attacker to trick an authenticated user into loading a crafted request that causes the plugin to perform a user import operation. As the import process can create or modify accounts, the attacker could potentially create new administrative accounts or alter existing user data without permission. The flaw stems from the plugin not verifying the caller's intent before executing the import action, a typical instance of CWE‑352.

Affected only the wp.insider Simple Membership WP user Import plugin, versions 1.9.1 and lower. The plugin is a WordPress add‑on that facilitates bulk user imports via CSV files. Sites running any of these versions are vulnerable regardless of configuration. No other plugins or WordPress core components are implicated.

The CVSS base score of 5.4, combined with an EPSS of less than 1 %, indicates a moderate severity and a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attack execution requires a victim to be logged in with sufficient privileges to access the plugin’s import interface and then be tricked into visiting a malicious request; thus manual user interaction is generally required. Because no exploit has been publicly disclosed, the overall risk remains limited but still warrants remediation.