The New User Approve plugin for WordPress, maintained by saadiqbal, suffers from a missing authorization vulnerability (CWE-862) identified as CVE-2026-0832. This vulnerability affects all versions up to and including 3.2.2. The root cause is the absence of proper capability checks on multiple REST API endpoints, which are intended to manage user account approvals. Due to this missing authorization, unauthenticated attackers can interact with these endpoints to approve or deny new user registrations without any privilege verification. Additionally, attackers can retrieve sensitive user information such as email addresses and user roles, which could facilitate further targeted attacks or social engineering. The vulnerability also allows attackers to forcibly log out privileged users, potentially disrupting administrative control. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) indicates that the attack can be performed remotely over the network with low attack complexity, no privileges, and no user interaction required. The impact affects confidentiality, integrity, and availability of the affected WordPress sites. No official patches or exploit code are currently available, but the vulnerability is publicly disclosed and should be considered critical for sites using this plugin. The plugin is popular among WordPress administrators who require manual approval of new user registrations, making this vulnerability particularly impactful in community or membership-based websites.

The vulnerability allows attackers to bypass user approval workflows, potentially enabling unauthorized account creation or denial, which can undermine site membership integrity. Exposure of sensitive user data such as emails and roles compromises confidentiality and may facilitate phishing or privilege escalation attacks. Forced logout of privileged users can disrupt site administration and availability, potentially leading to denial of service for legitimate administrators. Collectively, these impacts threaten the security posture of affected WordPress sites, risking unauthorized access, data leakage, and operational disruption. Organizations relying on this plugin for user management face increased risk of account takeover, data breaches, and administrative interference, which can damage reputation and lead to compliance violations.

Since no official patches are currently available, immediate mitigation should include disabling the New User Approve plugin until a secure version is released. Administrators should restrict access to the WordPress REST API endpoints via web application firewalls or server-level rules to block unauthenticated requests targeting these endpoints. Implementing additional authentication or IP whitelisting for REST API access can reduce exposure. Monitoring logs for unusual API activity related to user approval endpoints can help detect exploitation attempts. Regularly updating WordPress core and plugins, and subscribing to security advisories from the plugin author or WordPress security teams, will ensure timely application of future patches. Consider alternative user approval mechanisms or plugins with verified secure authorization controls if immediate patching is not feasible.