CVE-2026-22359 MEDIUM

CVE-2026-22359: WordPress Wordpress Movies Bulk Importer plugin <= 1.0 - Cross Site Request Forgery (CSRF) vulnerability

Vendor Aa-Team
Product Wordpress Movies Bulk Importer
Weakness CWE-352 · CSRF
Published January 22, 2026
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in AA-Team Wordpress Movies Bulk Importer movies importer allows Cross Site Request Forgery.This issue affects Wordpress Movies Bulk Importer: from n/a through <= 1.0.

Explanation of Vulnerability in Simple Terms

02Summary

The WordPress Movies Bulk Importer plugin through version 1.0 is vulnerable to cross-site request forgery (CSRF). An attacker can trick a logged-in site administrator into performing unintended actions, such as importing malicious movie data or modifying plugin settings. The vulnerability requires the admin to visit a malicious webpage while authenticated to the WordPress site.

What an attacker can do

03Attacker Capabilities

Trick an authenticated admin into performing unintended actions like importing data or changing plugin settings.

Potential impact on your site

04Site Impact

An attacker could modify plugin settings or import malicious data without your knowledge or consent.

Conditions required to exploit

05Prerequisites

Admin must be logged into WordPress and visit an attacker-controlled webpage.

Key dates

06Disclosure timeline

January 22, 2026 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2024-37417 WordPress Coachify theme <= 1.0.7 - Cross Site Request Forgery (CSRF) vulnerability CVE-2025-23880 WordPress amr personalise plugin <= 2.10 - CSRF to Stored XSS vulnerability CVE-2025-25123 WordPress Easy Related Posts plugin <= 2.0.2 - CSRF to Stored XSS vulnerability CVE-2025-48309 WordPress BetPress plugin <= 1.0.1 Lite - CSRF to Stored XSS vulnerability CVE-2023-23974 WordPress Quick Event Manager Plugin <= 9.7.4 is vulnerable to Cross Site Request Forgery (CSRF)