{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25390", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:07.231Z", "datePublished": "2026-03-25T16:14:47.530Z", "dateUpdated": "2026-03-26T16:50:46.529Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "new-user-approve", "product": "New User Approve", "vendor": "Saad Iqbal", "versions": [{"changes": [{"at": "3.2.4", "status": "unaffected"}], "lessThanOrEqual": "<= 3.2.3", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:26.518Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects New User Approve: from n/a through <= 3.2.3.</p>"}], "value": "Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:47.530Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/new-user-approve/vulnerability/wordpress-new-user-approve-plugin-3-2-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress New User Approve plugin <= 3.2.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25390", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:44:21.183444Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:50:46.529Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25390", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:44:21.183444Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:11.318Z"}}], "cna": {"title": "WordPress New User Approve plugin <= 3.2.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Saad Iqbal", "product": "New User Approve", "versions": [{"status": "affected", "changes": [{"at": "3.2.4", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 3.2.3"}], "packageName": "new-user-approve", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:26.518Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/new-user-approve/vulnerability/wordpress-new-user-approve-plugin-3-2-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects New User Approve: from n/a through <= 3.2.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:47.530Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25390", "state": "PUBLISHED", "dateUpdated": "2026-03-26T16:50:46.529Z", "dateReserved": "2026-02-02T12:53:07.231Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:47.530Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Saad Iqbal New User Approve new-user-approve permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a New User Approve: desde n/a hasta &lt;= 3.2.3."}], "id": "CVE-2026-25390", "lastModified": "2026-03-26T17:16:31.163", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:48.940", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/new-user-approve/vulnerability/wordpress-new-user-approve-plugin-3-2-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "New User Approve", "source": "cna", "vendor": "Saad Iqbal"}, "product": "new_user_approve", "vendor": "saad_iqbal"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:56:21.261297+00:00", "value": {"mitigation_remediation": ["Upgrade the \"New User Approve\" plugin to the latest available version (greater than 3.2.3).", "If an upgrade is not immediately possible, disable or delete the plugin to eliminate the vulnerability.\n", "Verify that only authorized WordPress roles have permission to approve new users and audit existing role capabilities for over\u2011privileged settings.\n", "Monitor site logs for unusual user approval activity and review WordPress security configurations regularly."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Access / Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Systems running the Saad Iqbal New User Approve plugin from its initial release through version 3.2.3 are affected. No specific sub\u2011version details are provided beyond the maximum version of 3.2.3. WordPress sites that have not upgraded beyond this point remain vulnerable.", "description_and_impact": "The vulnerability is a missing authorization issue that allows an attacker to exploit incorrectly configured access control mechanisms within the Saad Iqbal \"New User Approve\" WordPress plugin. This flaw can enable an unauthorized user to perform privileged actions, such as approving users or modifying permissions, which would normally require higher level access. The weakness aligns with missing protection of authorized resources, granting attackers administrative level functionality.", "risk_and_exploitability": "The CVSS score is not supplied, and no EPSS data is available, so the precise severity and likelihood of exploitation are uncertain. However, because the flaw permits elevated privileges, a malicious actor could create additional admin accounts or alter site settings. The required attack vector is inferred to be via the plugin\u2019s HTTP endpoints or WordPress admin interface, requiring either authenticated access with insufficient privileges or potentially unauthenticated requests if the plugin does not enforce proper checks. The lack of official CISA KEV listing suggests no publicized exploits, but the risk profile remains significant due to the potential impact on confidentiality and integrity of the WordPress installation."}}}}, "created": "2026-03-25T21:44:40.630213+00:00", "updated": "2026-03-26T11:38:35.663761+00:00", "vendors": ["saad_iqbal", "saad_iqbal$PRODUCT$new_user_approve", "wordpress", "wordpress$PRODUCT$wordpress"]}