Vulnerability Description
Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform authentication and capability checks but do not verify a WordPress nonce for state-changing requests. An attacker can induce a logged-in administrator to visit a malicious webpage that submits forged requests to admin-ajax.php, resulting in unauthorized resetting of plugin settings, toggling of the WordPress WP_DEBUG configuration, or modification of cache purging behavior without the administrator’s intent.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-23694?
CVE-2026-23694 is a documented vulnerability. Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handler...
How severe is CVE-2026-23694?
CVSS scoring is not yet available for CVE-2026-23694. Check NVD for updates.
Is there a patch for CVE-2026-23694?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.