Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.3.
AnalysisAI
The New User Approve plugin for WordPress versions 3.2.3 and earlier contains a missing authorization check that allows authenticated users to modify access control settings beyond their intended privileges. An attacker with basic user credentials could escalate their permissions or alter security configurations without proper authorization. No patch is currently available for this vulnerability.
Technical ContextAI
The New User Approve plugin (CPE: cpe:2.3:a:saad_iqbal:new_user_approve:*:*:*:*:*:*:*:*) is a WordPress plugin designed to moderate and approve new user registrations before they gain site access. The vulnerability stems from CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user permissions before granting access to sensitive administrative functions or user approval workflows. WordPress plugins operate within the WordPress plugin API and hook system, which relies on proper use of nonces, capability checks (such as current_user_can()), and role-based access control (RBAC). The flaw suggests inadequate validation of whether a requesting user possesses the necessary WordPress capabilities (admin, moderator, or equivalent roles) before allowing them to interact with new user approval workflows, likely exposing REST endpoints or form handlers without proper permission gates.
RemediationAI
Users of the New User Approve plugin must upgrade to a patched version greater than 3.2.3 as soon as it becomes available; consult the Patchstack vulnerability database and the plugin's official WordPress.org repository for the latest secure release. Until an official patch is released, administrators should consider disabling the New User Approve plugin and reverting to WordPress's native user approval workflow, or use alternative, well-maintained user moderation plugins. As an interim mitigation, restrict administrative and approval capabilities to trusted roles only, review and audit recent user approvals for signs of unauthorized activity, and monitor access logs for suspicious requests to user approval endpoints. Additionally, implement Web Application Firewall (WAF) rules to block requests to sensitive plugin paths from untrusted sources, and enforce strong authentication (two-factor authentication) on all administrative accounts to limit lateral movement in the event of account compromise.
More in New User Approve
View allThe New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding
Cross-Site Request Forgery (CSRF) vulnerability in WPExpertsio New User Approve.5.1. Rated medium severity (CVSS 4.3), t
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15705
GHSA-v6mh-26pg-v9r8