The Aruba HiSpeed Cache WordPress plugin prior to version 3.0.5 contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2026-23694 (CWE-352). This vulnerability arises because several administrative AJAX handlers—specifically ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge—perform authentication and capability checks but omit verification of WordPress nonces, which are critical for preventing CSRF attacks. Nonces are tokens used to validate that requests originate from legitimate users intending to perform state-changing operations. Without nonce validation, an attacker can craft a malicious webpage that, when visited by a logged-in administrator, sends forged requests to admin-ajax.php. These requests can reset plugin settings, toggle the WP_DEBUG configuration (which can expose sensitive debugging information), or alter cache purging behavior without the administrator’s consent. The vulnerability requires the victim to be authenticated with administrative privileges and to visit a malicious site, but does not require additional user interaction such as clicking buttons. The CVSS 4.0 base score is 5.1, reflecting a medium severity level due to network attack vector, low attack complexity, no privileges required for the attacker, but requiring user interaction. No public exploits have been reported yet, and no patches are linked in the provided data, but upgrading to version 3.0.5 or later is implied to remediate the issue.

This vulnerability allows attackers to perform unauthorized administrative actions on WordPress sites using the Aruba HiSpeed Cache plugin, potentially leading to unauthorized resetting of plugin configurations, enabling or disabling debugging features, and modifying cache purging behavior. Such unauthorized changes can disrupt website performance, cause exposure of sensitive debugging information, or degrade user experience. While it does not directly lead to data theft or remote code execution, the ability to manipulate caching and debugging settings can facilitate further attacks or operational disruptions. Organizations relying on this plugin may face increased risk of site instability, information leakage, or indirect compromise if attackers leverage these changes to escalate privileges or gather intelligence. The requirement for an authenticated administrator to visit a malicious site limits the attack scope but does not eliminate risk, especially in environments with multiple administrators or where phishing attacks are prevalent.

Administrators should immediately update the Aruba HiSpeed Cache plugin to version 3.0.5 or later, where nonce verification is implemented to prevent CSRF attacks. Until an update is applied, organizations should implement additional protective measures such as enforcing strict Content Security Policy (CSP) headers to restrict cross-origin requests, educating administrators to avoid visiting untrusted websites while logged into WordPress admin accounts, and employing web application firewalls (WAFs) that can detect and block suspicious admin-ajax.php requests. Additionally, monitoring administrative actions and plugin configuration changes can help detect exploitation attempts. Disabling or limiting administrative access from untrusted networks and enforcing multi-factor authentication (MFA) for administrator accounts can further reduce risk. Finally, reviewing and hardening WordPress security settings and plugin permissions will help mitigate potential impact.