New User Approve < 3.2.3 – Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure | CVE 2026-0832 | Plugin Vulnerabilities

Description

The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users.

Affects Plugins

new-user-approve

Fixed in 3.2.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f86a69ab-2fc5-4c84-872b-929dbec429cd

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Deadbee

Verified

No

WPVDB ID

d0622077-1b37-4462-9679-1e1f0a6406ad

Timeline

Publicly Published

2026-01-27 (about 4 months ago)

Added

2026-01-27 (about 4 months ago)

Last Updated

2026-01-28 (about 4 months ago)

Other

Published

Title

Published

2025-04-02

Title

Free Woocommerce Product Table View <= 1.78 - Missing Authorization to Arbitrary Content Deletion

Published

2026-04-22

Title

FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce < 3.8.0 - Missing Authorization

Published

2024-11-20

Title

My Contador lesr < 2.1 - Missing Authorization to Unauthenticated User Registration CSV Export

Published

2024-01-25

Title

10Web AI Assistant – AI content writing assistant < 1.0.19 - Missing Authorization to Arbitrary Plugin Installation

Published

2024-04-15

Title

Theme My Login < 7.1.7 - Missing Authorization to Notice Dismissal