– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-0832:
This vulnerability is a Missing Authorization flaw in the New User Approve WordPress plugin. The plugin exposes multiple REST API endpoints without proper capability checks. Unauthenticated attackers can exploit these endpoints to approve or deny user registrations, retrieve sensitive user information, and force privileged users to log out. The CVSS 7.3 score reflects the high impact on confidentiality, integrity, and availability.

Atomic Edge research identifies the root cause in the plugin’s REST API endpoint registration. The vulnerable code registers endpoints without implementing the `permission_callback` parameter or with inadequate capability verification. The diff shows the primary fix in `/new-user-approve/includes/class-new-user-approve-admin.php` where the `register_rest_routes` method is modified. The patched version adds proper permission callbacks to endpoints including `/approve-user`, `/deny-user`, `/get-users`, and `/logout-user`. The vulnerability affects all plugin versions up to and including 3.2.2.

Attackers exploit this vulnerability by sending unauthenticated HTTP requests to the plugin’s REST API endpoints. The attack vector targets `/wp-json/new-user-approve/v1/approve-user` with POST parameters `user_id` and `status`. For user enumeration, attackers query `/wp-json/new-user-approve/v1/get-users` which returns email addresses, roles, and approval statuses. The `/wp-json/new-user-approve/v1/logout-user` endpoint accepts a `user_id` parameter to force user logout. No authentication tokens or nonces are required for these operations.

The patch implements proper WordPress capability checks through permission callbacks. Each REST endpoint now includes a `permission_callback` that verifies the current user has appropriate administrative privileges. The `approve-user` and `deny-user` endpoints require the `edit_users` capability. The `get-users` endpoint requires `list_users`. The `logout-user` endpoint checks for `edit_users` capability. These callbacks prevent unauthenticated and low-privileged users from accessing the administrative functions. The fix follows WordPress REST API security best practices by explicitly defining authorization requirements.

Successful exploitation allows complete compromise of the user approval workflow. Attackers can approve malicious user accounts, deny legitimate registrations, and disrupt site operations. The information disclosure exposes email addresses and user roles, facilitating targeted attacks. Forcing administrator logout creates denial-of-service conditions and may enable session hijacking. This vulnerability provides attackers with administrative control over user management without requiring valid credentials.