Description
Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform authentication and capability checks but do not verify a WordPress nonce for state-changing requests. An attacker can induce a logged-in administrator to visit a malicious webpage that submits forged requests to admin-ajax.php, resulting in unauthorized resetting of plugin settings, toggling of the WordPress WP_DEBUG configuration, or modification of cache purging behavior without the administrator’s intent.
Published: 2026-02-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Administrative Actions
Action: Patch
AI Analysis

Impact

The Aruba HiSpeed Cache WordPress plugin versions prior to 3.0.5 contain a cross‑site request forgery vulnerability that allows an attacker to perform unauthorized administrative actions. The vulnerability lies in multiple AJAX handlers that authenticate users but fail to verify a WordPress nonce, letting an attacker reset plugin settings, toggle the WP_DEBUG configuration, or change cache purging behavior without the administrator’s consent.

Affected Systems

The affected product is the Aruba HiSpeed Cache plugin for WordPress, distributed by Aruba.it. All installations using the plugin version earlier than 3.0.5 are vulnerable.

Risk and Exploitability

The CVSS score is 5.1, indicating moderate severity, and the EPSS score is below 1 %, meaning exploitation probability is low. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve a malicious webpage that forces a logged‑in administrator to load a crafted form that submits forged AJAX requests to admin-ajax.php, leveraging the missing nonce check.

Generated by OpenCVE AI on April 17, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Aruba HiSpeed Cache plugin to version 3.0.5 or later.
  • Restrict administrator access to a single IP address or trusted network ranges.
  • Install and configure a WordPress security plugin that enforces nonce checks on all admin AJAX calls.

Generated by OpenCVE AI on April 17, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Aruba
Aruba aruba Hispeed Cache
CPEs cpe:2.3:a:aruba:aruba_hispeed_cache:*:*:*:*:*:wordpress:*:*
Vendors & Products Aruba
Aruba aruba Hispeed Cache

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Arubadev
Arubadev aruba Hispeed Cache
Wordpress
Wordpress wordpress
Vendors & Products Arubadev
Arubadev aruba Hispeed Cache
Wordpress
Wordpress wordpress

Mon, 23 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform authentication and capability checks but do not verify a WordPress nonce for state-changing requests. An attacker can induce a logged-in administrator to visit a malicious webpage that submits forged requests to admin-ajax.php, resulting in unauthorized resetting of plugin settings, toggling of the WordPress WP_DEBUG configuration, or modification of cache purging behavior without the administrator’s intent.
Title Aruba HiSpeed Cache < 3.0.5 CSRF in Multiple Administrative AJAX Actions
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Aruba Aruba Hispeed Cache
Arubadev Aruba Hispeed Cache
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:20.977Z

Reserved: 2026-01-14T20:09:32.352Z

Link: CVE-2026-23694

cve-icon Vulnrichment

Updated: 2026-02-25T15:07:08.840Z

cve-icon NVD

Status : Deferred

Published: 2026-02-23T21:19:10.377

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses