Recently we have been taking a quick look over plugins that handle importing users into WordPress for security issues, since their functionality could be useful to hackers.

In looking over the Members Import plugin we found that the plugin does not include protection against cross-site request forgery (CSRF) for requests to imports users, as of version 1.3. So if you could get a logged in administrator to access a page you control you could cause them to create a new user with the Administrator role that they then would have access to. [Read more]