WordPress Plugin Vulnerabilities

Aruba HiSpeed Cache < 3.0.5 - Cross-Site Request Forgery to Plugin Settings Reset

Description

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
aruba-hispeed-cache
Fixed in 3.0.5

References

CVE
CVE-2026-1924
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d2230151-fde2-43d6-8bff-0d2ffd559ab3

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Legion Hunter
Verified
No
WPVDB ID
41857cb6-b518-4443-a79e-14d8da84b2f7

Timeline

Publicly Published
2026-04-09 (about 1 month ago)
Added
2026-04-09 (about 1 month ago)
Last Updated
2026-04-10 (about 1 month ago)

Other

Published
Title
Published
2023-06-16
Title
Recent Posts Slider <= 1.1 - Cross-Site Request Forgery
Published
2023-10-31
Title
GiveWP < 2.33.4 - Cross-Site Request Forgery to plugin deactivation
Published
2025-03-04
Title
Spreadsheet Integration < 3.8.3 - Cross-Site Request Forgery to Arbitrary Post Publish
Published
2025-06-05
Title
Quick Event Calendar <= 1.4.9 - Cross-Site Request Forgery
Published
2024-12-11
Title
Insertify <= 1.1.4 - Cross-Site Request Forgery to Remote Code Execution