CVE-2026-0832

Description

The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users.

PUBLISHED Reserved 2026-01-09 | Published 2026-01-28 | Updated 2026-01-28 | Assigner Wordfence

Problem types

CWE-862 Missing Authorization

Product status

Timeline

Credits

Deadbee finder

References

www.wordfence.com/...-2fc5-4c84-872b-929dbec429cd?source=cve

plugins.trac.wordpress.org/...udes/end-points/mobile-api.php

plugins.trac.wordpress.org/...udes/end-points/mobile-api.php

plugins.trac.wordpress.org/...udes/end-points/mobile-api.php

plugins.trac.wordpress.org/...udes/end-points/mobile-api.php

plugins.trac.wordpress.org/...-approve&sfp_email=&sfph_mail=

plugins.trac.wordpress.org/...-approve&sfp_email=&sfph_mail=

cve.org (CVE-2026-0832)

nvd.nist.gov (CVE-2026-0832)

Download JSON