CVE-2019-14683
MEDIUMImport users from CSV with meta < 1.14.2.2 - Cross-Site Request Forgery via admin-ajax.php
Title source: llmDescription
The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.
References (4)
Core 4
Core References
Release Notes x_refsource_misc
https://wordpress.org/plugins/import-users-from-csv-with-meta/#developers
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9392
Product x_refsource_misc
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta?rev=2112013
Exploit, Third Party Advisory x_refsource_misc
https://www.pluginvulnerabilities.com/2019/06/21/cross-site-request-forgery-csrf-media-deletion-vulnerability-in-import-users-from-csv-with-meta/
Scores
CVSS v3
5.7
EPSS
0.0068
EPSS Percentile
47.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-352
Status
published
Products (1)
codection/import_users_from_csv_with_meta
< 1.14.2.2
Published
Aug 08, 2019
Tracked Since
Feb 18, 2026