Skip to main content

New User Approve CVE-2026-25390

| EUVDEUVD-2026-15705 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-v6mh-26pg-v9r8
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15705
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.3.

AnalysisAI

The New User Approve plugin for WordPress versions 3.2.3 and earlier contains a missing authorization check that allows authenticated users to modify access control settings beyond their intended privileges. An attacker with basic user credentials could escalate their permissions or alter security configurations without proper authorization. No patch is currently available for this vulnerability.

Technical ContextAI

The New User Approve plugin (CPE: cpe:2.3:a:saad_iqbal:new_user_approve:*:*:*:*:*:*:*:*) is a WordPress plugin designed to moderate and approve new user registrations before they gain site access. The vulnerability stems from CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user permissions before granting access to sensitive administrative functions or user approval workflows. WordPress plugins operate within the WordPress plugin API and hook system, which relies on proper use of nonces, capability checks (such as current_user_can()), and role-based access control (RBAC). The flaw suggests inadequate validation of whether a requesting user possesses the necessary WordPress capabilities (admin, moderator, or equivalent roles) before allowing them to interact with new user approval workflows, likely exposing REST endpoints or form handlers without proper permission gates.

RemediationAI

Users of the New User Approve plugin must upgrade to a patched version greater than 3.2.3 as soon as it becomes available; consult the Patchstack vulnerability database and the plugin's official WordPress.org repository for the latest secure release. Until an official patch is released, administrators should consider disabling the New User Approve plugin and reverting to WordPress's native user approval workflow, or use alternative, well-maintained user moderation plugins. As an interim mitigation, restrict administrative and approval capabilities to trusted roles only, review and audit recent user approvals for signs of unauthorized activity, and monitor access logs for suspicious requests to user approval endpoints. Additionally, implement Web Application Firewall (WAF) rules to block requests to sensitive plugin paths from untrusted sources, and enforce strong authentication (two-factor authentication) on all administrative accounts to limit lateral movement in the event of account compromise.

Share

CVE-2026-25390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy