CVE-2025-63030
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal New User Approve new-user-approve allows Cross Site Request Forgery.This issue affects New User Approve: from n/a through <= 3.2.3.
Analysis
Cross-Site Request Forgery in WordPress New User Approve plugin (versions ≤3.2.3) enables unauthenticated remote attackers to trick authenticated administrators into executing unauthorized actions via crafted requests. With EPSS probability of 0.02% (5th percentile) and no evidence of active exploitation (not in CISA KEV), this represents a moderate real-world risk despite a CVSS 7.1 score. The vulnerability requires user interaction (UI:R) but no attacker privileges (PR:N), making it viable through social engineering tactics like phishing emails containing malicious links.
Technical Context
The New User Approve WordPress plugin from Saad Iqbal lacks proper CSRF token validation on administrative state-changing operations, a classic CWE-352 violation. CSRF vulnerabilities exploit the trust a web application has in an authenticated user's browser by forcing victims to submit unintended requests. In WordPress plugins, this typically means missing or improperly implemented nonce verification on admin actions such as approving/denying users, modifying settings, or performing administrative operations. When CSRF protections are absent, an attacker can craft malicious HTML forms or JavaScript that submits requests to the vulnerable plugin endpoints using the victim administrator's authenticated session. The plugin manages new user registration workflows, meaning CSRF exploitation could allow unauthorized approval of malicious user accounts, modification of approval settings, or denial of legitimate user registrations without the administrator's knowledge.
Affected Products
The vulnerability affects the New User Approve plugin for WordPress developed by Saad Iqbal, specifically all versions up to and including version 3.2.3. The plugin is available through the WordPress plugin repository and is used to implement administrator-controlled user registration approval workflows. According to Patchstack reporting, the affected version range begins from an unspecified early version (n/a) and extends through version 3.2.3, meaning all currently deployed instances running version 3.2.3 or earlier are vulnerable. The Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/new-user-approve/vulnerability/wordpress-new-user-approve-plugin-3-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) indicates version 3.2.0 was specifically analyzed, but the vulnerability extends to 3.2.3 based on NVD data.
Remediation
WordPress administrators should immediately update the New User Approve plugin to the latest available version beyond 3.2.3 from the official WordPress plugin repository. Check the plugin's changelog and official repository at wordpress.org/plugins/new-user-approve for patch announcements addressing CVE-2025-63030. If an updated version implementing proper CSRF nonce verification is not yet available, consider temporary workarounds including disabling the plugin until a patch is released, implementing Web Application Firewall (WAF) rules to detect anomalous administrative requests, restricting plugin administrative access to trusted IP addresses via server configuration, and educating administrators to avoid clicking untrusted links while logged into WordPress. Monitor the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/new-user-approve/vulnerability/wordpress-new-user-approve-plugin-3-2-0-cross-site-request-forgery-csrf-vulnerability for vendor patch status updates. As a general defense-in-depth measure, ensure WordPress core and all other plugins are updated, and consider implementing additional authentication layers for sensitive administrative operations.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today