Primary

Context

New User Approve WordPress Plugin Missing Authorization Vulnerability Allows Unauthenticated User Management and Data Access

Vulnerability

Patched

A vulnerability exists in the New User Approve plugin for WordPress, in all versions through 3.2.2, due to a lack of proper capability checks on several REST API endpoints. This oversight enables unauthenticated attackers to approve or deny user accounts, access sensitive user information such as emails and roles, and forcibly log out privileged users.

Impact

Exploitation of this vulnerability could lead to unauthorized user account management and disclosure of sensitive user information.

Reproduction

The vulnerability can be reproduced by sending requests to the affected REST API endpoints without authentication. The missing capability checks allow for unauthorized approval or denial of user accounts, as well as access to sensitive user details.

Remediation

Users are advised to update the New User Approve plugin to version 3.2.3 or later.

Added: Jan 28, 2026, 7:26 AM

Updated: Jan 28, 2026, 7:26 AM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

9.3

remediation

7.7

relevance

2.4

threat

4.8

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

9.3

remediation

7.7

relevance

2.4

threat

4.8

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

New User Approve WordPress Plugin Missing Authorization Vulnerability Allows Unauthenticated User Management and Data Access

Vulnerability

Impact

Reproduction

Remediation

Affected Products

New User Approve

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating