The Aruba HiSpeed Cache WordPress plugin contains missing capability checks on several functions in all versions up to and including 3.0.2. This flaw allows any user who can reach the site’s HTTP interface to modify the plugin’s configuration settings, toggle features, enable or disable WordPress cron jobs, and turn debug mode on or off without authenticating. As a result, an attacker can gain unrestricted control over the plugin’s behavior, potentially leading to denial of service, persistence, or a foothold for broader compromise. The weakness is identified as an authorization failure (CWE-862).

Aruba HiSpeed Cache plugin for WordPress, versions up to and including 3.0.2, regardless of the WordPress core version. Clients running any of these affected releases should verify their plugin version and upgrade if possible.

The CVSS score of 6.5 reflects a moderate severity, but the EPSS score of less than 1% indicates that the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog, and no known exploits have been publicly reported. Nevertheless, because the flaw permits unauthenticated configuration changes through network-accessible endpoints, any exposed WordPress installation that uses the affected plugin is at risk. Attackers could reach the vulnerable endpoints without credentials, making remediation the most prudent course of action.