{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0832", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-09T21:21:53.121Z", "datePublished": "2026-01-28T06:43:45.651Z", "dateUpdated": "2026-04-08T17:33:57.702Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:57.702Z"}, "affected": [{"vendor": "saadiqbal", "product": "New User Approve", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users."}], "title": "New User Approve <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f86a69ab-2fc5-4c84-872b-929dbec429cd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L24"}, {"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L24"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425140%40new-user-approve&new=3425140%40new-user-approve&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442291%40new-user-approve&new=3442291%40new-user-approve&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Deadbee"}], "timeline": [{"time": "2026-01-09T21:37:04.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-27T17:49:02.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T14:47:32.158492Z", "id": "CVE-2026-0832", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:48:01.546Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0832", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T14:47:32.158492Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:47:50.610Z"}}], "cna": {"title": "New User Approve <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "Deadbee"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "saadiqbal", "product": "New User Approve", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-09T21:37:04.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-27T17:49:02.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f86a69ab-2fc5-4c84-872b-929dbec429cd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L24"}, {"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L24"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425140%40new-user-approve&new=3425140%40new-user-approve&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442291%40new-user-approve&new=3442291%40new-user-approve&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:57.702Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0832", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:57.702Z", "dateReserved": "2026-01-09T21:21:53.121Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T06:43:45.651Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users."}, {"lang": "es", "value": "El plugin New User Approve para WordPress es vulnerable a acceso no autorizado a datos y modificaci\u00f3n de datos debido a una comprobaci\u00f3n de capacidad faltante en m\u00faltiples endpoints de la API REST en todas las versiones hasta la 3.2.2, inclusive. Esto hace posible que atacantes no autenticados aprueben o denieguen cuentas de usuario, recuperen informaci\u00f3n sensible del usuario, incluyendo correos electr\u00f3nicos y roles, y fuercen el cierre de sesi\u00f3n de usuarios privilegiados."}], "id": "CVE-2026-0832", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-28T07:16:00.320", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L24"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L24"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425140%40new-user-approve&new=3425140%40new-user-approve&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442291%40new-user-approve&new=3442291%40new-user-approve&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f86a69ab-2fc5-4c84-872b-929dbec429cd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T17:34:49.122086+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the New User Approve plugin (3.2.3 or later) or uninstall the plugin if it is no longer needed.", "If a patch cannot be applied immediately, block or shield the plugin\u2019s REST API endpoints using a firewall or whitelist based on authentication status, ensuring that only authenticated users can access them.", "After patch or endpoint restriction, verify that capability checks are enforced by testing the endpoints with authenticated and unauthenticated requests, and confirm that no unauthorized account changes or data retrievals are possible."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass / Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress plugin New User Approve developed by saadiqbal. All plugin versions up to 3.2.2 are vulnerable. Sites that install or update to any of these versions are at risk unless mitigated.", "description_and_impact": "The New User Approve plugin for WordPress allows an attacker without any credentials to modify user account status and obtain sensitive information. The vulnerability is caused by missing authorization checks on multiple REST API endpoints in all releases up to and including 3.2.2. An unauthenticated user can send requests to approve or deny user accounts, retrieve user emails and roles, and trigger forced logouts of privileged users. This enables the attacker to alter platform integrity, leak confidential user data, and disrupt user availability.", "risk_and_exploitability": "The CVSS base score is 7.3, indicating a high severity vulnerability, while the EPSS probability is less than 1%, suggesting a low but non\u2011zero likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Because the vulnerable endpoints are reachable over the network via standard WordPress REST API calls, an attacker can trigger the exploit from any location that can reach the site, with no authentication or special privileges required. The overall exposure is moderate due to the low exploitation probability but remains significant because of the potential for unauthorized account manipulation and data disclosure."}}}}, "created": "2026-01-29T09:18:14.852594+00:00", "updated": "2026-04-15T18:00:15.531852+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}