Description
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-04-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery that resets plugin settings to default values
Action: Apply Patch
AI Analysis

Impact

The Aruba HiSpeed Cache plugin for WordPress contains a flaw where the ahsc_ajax_reset_options() function does not perform nonce verification. An unauthenticated attacker can craft a request that forces a logged‑in administrator to reset all plugin settings to their default values by simply clicking on a malicious link. This manipulation affects the plugin’s configuration and can change caching behavior without the user’s knowledge.

Affected Systems

All installations of Aruba HiSpeed Cache version 3.0.4 or earlier are vulnerable. The flaw is present in every release up to 3.0.4; versions 3.0.5 and later contain a nonce check that mitigates the issue.

Risk and Exploitability

The flaw has a CVSS score of 4.3, placing it in the medium severity range. No EPSS data or KEV listing is available, indicating that it has not been widely exploited publicly yet. Attackers require only social engineering to convince an administrator to visit a forged URL. The impact is limited to configuration loss and possible service disruption caused by resetting caching settings.

Generated by OpenCVE AI on April 10, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Aruba HiSpeed Cache to version 3.0.5 or later to add nonce validation.
  • Confirm the plugin version has been updated and that the reset function is no longer publicly accessible.
  • Train site administrators to recognize malicious links and verify URLs before clicking.

Generated by OpenCVE AI on April 10, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Arubadev
Arubadev aruba Hispeed Cache
Wordpress
Wordpress wordpress
Vendors & Products Arubadev
Arubadev aruba Hispeed Cache
Wordpress
Wordpress wordpress

Fri, 10 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Aruba HiSpeed Cache <= 3.0.4 - Cross-Site Request Forgery to Plugin Settings Reset
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Arubadev Aruba Hispeed Cache
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-10T12:18:06.324Z

Reserved: 2026-02-04T19:11:29.291Z

Link: CVE-2026-1924

cve-icon Vulnrichment

Updated: 2026-04-10T12:18:00.849Z

cve-icon NVD

Status : Received

Published: 2026-04-10T02:16:02.607

Modified: 2026-04-10T02:16:02.607

Link: CVE-2026-1924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:08Z

Weaknesses