A high-severity vulnerability has been identified in the New User Approve plugin for WordPress, affecting all versions up to and including version 3. This flaw allows unauthenticated attackers to access and modify user data by exploiting unprotected API endpoints. Successful exploitation could lead to a data breach, unauthorized user account creation or modification, and potential site compromise.

The vulnerability exists due to a missing capability check on multiple REST API endpoints within the New User Approve plugin. The plugin fails to properly verify if a user making a request has the appropriate permissions to perform actions. An unauthenticated attacker can send specially crafted requests directly to these vulnerable API endpoints to bypass security controls and perform administrative actions, such as viewing user information or approving/denying user registrations.

This vulnerability is rated as High severity with a CVSS score of 7.3, posing a significant risk to the organization. Exploitation could lead to unauthorized access to sensitive user data, resulting in a data breach and potential non-compliance with data privacy regulations. Furthermore, an attacker could modify user data, approve malicious accounts, or deny legitimate users, disrupting business operations and potentially leading to further system compromise, reputational damage, and loss of customer trust.

Immediate Action: Administrators should immediately update the New User Approve plugin to the latest patched version (greater than version 3) as recommended by the vendor. If the plugin is not essential for business operations, it should be disabled and removed as a precautionary measure.

Proactive Monitoring: Monitor web server and API logs for unusual or direct requests to the plugin's REST API endpoints (e.g., endpoints under /wp-json/). Scrutinize logs for user management activities, such as new user approvals or data modifications, that do not correlate with legitimate administrative actions.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to block or restrict access to the vulnerable API endpoints. Additionally, consider restricting access to the WordPress API at the network level, allowing connections only from trusted IP addresses.

Public Exploit Available: false

Given the High severity rating (CVSS 7.3) and the direct risk of a data breach, it is strongly recommended that organizations treat this vulnerability with high urgency. Although this CVE is not currently listed on the CISA KEV list, the ease of exploitation presents a clear and immediate danger. The primary and most effective course of action is to apply the vendor-supplied patch immediately to all affected WordPress instances to prevent unauthorized access and modification of user data.