PT-2026-5067 · WordPress · New User Approve
Deadbee
·
Published
2026-01-28
·
Updated
2026-02-02
·
CVE-2026-0832
CVSS v3.1
7.3
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
New User Approve plugin for WordPress versions up to and including 3.2.2
Description
The New User Approve plugin for WordPress is susceptible to unauthorized data access and modification. This is due to a missing capability check on multiple REST API endpoints. An unauthenticated attacker can approve or deny user accounts, retrieve sensitive user information such as emails and roles, and force logout of privileged users. The affected API endpoints include those used for user approval and account management. The vulnerable functionality allows manipulation of user account status and access to user data without proper authorization.
Recommendations
Update the New User Approve plugin to a version beyond 3.2.2.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
New User Approve