Aruba HiSpeed Cache WordPress plugin: Unauthorized Admin Actions

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.1

Aruba HiSpeed Cache WordPress plugin: Unauthorized Admin Actions

CVE-2026-23694

Summary

The Aruba HiSpeed Cache WordPress plugin has a security flaw that could allow an attacker to trick an administrator into making changes to the plugin's settings or the WordPress site's configuration without their knowledge or consent. This could happen if an administrator visits a malicious website. To protect your site, update the plugin to version 3.0.5 or later.

Original title

Original description

Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform authentication and capability checks but do not verify a WordPress nonce for state-changing requests. An attacker can induce a logged-in administrator to visit a malicious webpage that submits forged requests to admin-ajax.php, resulting in unauthorized resetting of plugin settings, toggling of the WordPress WP_DEBUG configuration, or modification of cache purging behavior without the administrator’s intent.

nvd CVSS4.0 5.1

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)

Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026