CVE-2026-0832 is a vulnerability classified under CWE-862 (Missing Authorization) found in the 'New User Approve' WordPress plugin developed by saadiqbal. This plugin is designed to manage user account approvals on WordPress sites. The vulnerability arises because multiple REST API endpoints lack proper capability checks, allowing unauthenticated attackers to perform privileged actions. Specifically, attackers can approve or deny user accounts without authorization, retrieve sensitive user information including email addresses and user roles, and forcibly log out users with elevated privileges. The vulnerability affects all versions up to and including 3.2.2. The CVSS v3.1 base score is 7.3 (high), reflecting network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). The flaw enables remote exploitation without authentication or user interaction, making it highly accessible to attackers. Although no public exploits are currently known, the potential for abuse is significant, especially in environments where user account control and data confidentiality are critical. The vulnerability could be leveraged to manipulate user access controls, harvest sensitive user data, and disrupt administrative sessions, potentially leading to further compromise of WordPress sites.

For European organizations, this vulnerability poses a serious risk to the security of WordPress-based websites, particularly those relying on the 'New User Approve' plugin for user management. Unauthorized approval or denial of user accounts can lead to unauthorized access, privilege escalation, and potential insider threats. Exposure of sensitive user data such as emails and roles can facilitate targeted phishing, social engineering, or identity theft attacks. Forced logout of privileged users disrupts administrative operations and could be used as a denial-of-service tactic. Organizations in sectors such as e-commerce, government, education, and media that use WordPress extensively may face reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The ease of exploitation and the ability to perform these actions without authentication increase the likelihood of attacks, especially from opportunistic threat actors scanning for vulnerable WordPress instances.

Immediate mitigation steps include disabling the 'New User Approve' plugin until a security patch is released. Administrators should monitor official plugin repositories and security advisories for updates addressing this vulnerability. If a patch is available, it must be applied promptly. Restricting access to the WordPress REST API endpoints via web application firewalls (WAFs) or server-level access controls can reduce exposure. Implementing strict IP whitelisting or authentication mechanisms for REST API access is recommended. Additionally, organizations should audit user accounts for unauthorized changes, review logs for suspicious activity related to user approvals or logouts, and enforce strong administrative credentials and multi-factor authentication to limit the impact of potential account compromises. Regular backups and incident response plans should be updated to address potential exploitation scenarios.