CVE-2026-25390 identifies a missing authorization vulnerability in the New User Approve plugin by Saad Iqbal, specifically affecting versions up to 3.2.3. The vulnerability arises from incorrectly configured access control security levels, which fail to properly restrict the approval of new user registrations. This flaw allows an attacker, potentially without authentication, to exploit the plugin's approval mechanism to approve new users without proper authorization. The plugin is typically used in WordPress environments to manage and moderate new user registrations, making it a critical component in controlling user access. The lack of proper authorization checks means that malicious actors can escalate privileges or create unauthorized accounts, potentially leading to further compromise of the affected system. No CVSS score has been assigned yet, and no known exploits have been reported in the wild, but the vulnerability is publicly disclosed and should be considered a serious security risk. The vulnerability was reserved in early 2026 and published in March 2026, indicating recent discovery and disclosure. The absence of patch links suggests that fixes may not yet be available, emphasizing the need for immediate mitigation strategies. The vulnerability's impact is primarily on the integrity and confidentiality of user management processes within affected WordPress sites.

The primary impact of CVE-2026-25390 is unauthorized privilege escalation through the approval of new user accounts without proper authorization. This can lead to unauthorized access to sensitive resources, data leakage, and potential lateral movement within an organization's network. Attackers exploiting this vulnerability can create or approve accounts that bypass normal administrative controls, undermining the integrity of user management. This can facilitate further attacks such as data exfiltration, installation of malicious payloads, or disruption of services. Organizations relying on the New User Approve plugin for user registration control are particularly vulnerable, especially if they do not have additional compensating controls. The ease of exploitation without authentication increases the threat level, potentially affecting a wide range of organizations using WordPress with this plugin. The lack of known active exploits currently reduces immediate risk but does not diminish the potential severity once exploit code becomes available.

1. Immediately restrict access to the New User Approve plugin's user approval functionality to trusted administrators only, using web server or WordPress role-based access controls. 2. Monitor logs for unusual user approval activities or sudden increases in approved accounts. 3. If possible, disable the New User Approve plugin temporarily until a patch or update is released. 4. Implement multi-factor authentication (MFA) for all administrative accounts to reduce the risk of compromised credentials being used to exploit this vulnerability. 5. Regularly audit user accounts and remove any suspicious or unauthorized users promptly. 6. Stay informed about updates from the plugin developer or security advisories and apply patches as soon as they become available. 7. Consider deploying a Web Application Firewall (WAF) with custom rules to detect and block unauthorized attempts to access the approval endpoints. 8. Conduct a thorough review of access control configurations in WordPress to ensure no other plugins or components have similar authorization weaknesses.