– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-23545:
The Aruba HiSpeed Cache WordPress plugin, versions up to and including 3.0.4, contains a missing authorization vulnerability. This flaw allows unauthenticated attackers to trigger privileged administrative AJAX actions. The vulnerability has a CVSS score of 5.3 and is classified under CWE-862 (Missing Authorization).

Atomic Edge research identifies the root cause as improper registration of AJAX handlers for unauthenticated users. The vulnerable plugin code in `aruba-hispeed-cache/aruba-hispeed-cache.php` registers multiple administrative functions with both `wp_ajax_{action}` and `wp_ajax_nopriv_{action}` hooks. This allows unauthenticated users to access functions that should require administrative privileges. The affected functions include `ahsc_ajax_enable_purge` (line 362), `ahsc_ajax_purge_homepage_on_edit` (line 382), `ahsc_ajax_purge_page_on_new_comment` (line 399), `ahsc_ajax_purge_archive_on_edit` (line 415), `ahsc_ajax_cache_warmer` (line 432), `ahsc_ajax_static_cache` (line 449), `ahsc_ajax_lazy_load` (line 465), `ahsc_ajax_html_optimizer` (line 480), `ahsc_ajax_dns_preconnect` (line 495), `ahsc_ajax_dns_preconnect_domain_list` (line 510), `ahsc_ajax_enable_cron` (line 550), `ahsc_ajax_cron_status` (line 577), `ahsc_ajax_cron_time` (line 593), `ahsc_ajax_xmlrpc_status` (line 613), `ahsc_ajax_reset_options` (line 629), and `ahsc_ajax_dboptimization_active` (line 660).

Exploitation requires sending POST requests to the WordPress AJAX endpoint `/wp-admin/admin-ajax.php` with the `action` parameter set to any of the vulnerable AJAX hooks. For example, an attacker can send a POST request with `action=ahsc_enable_purge` and a valid `ahsc_nonce` parameter. The nonce requirement does not prevent exploitation because authenticated users can obtain valid nonces through other means, and the vulnerability allows unauthenticated execution once a nonce is acquired. Attackers can also target functions like `ahsc_ajax_reset_options` which lacked nonce verification entirely in vulnerable versions.

The patch in version 3.0.5 comments out all `wp_ajax_nopriv_{action}` hook registrations. This change prevents unauthenticated users from accessing the administrative AJAX endpoints. The patch also adds missing nonce verification to the `ahsc_ajax_reset_options` function. Before the patch, unauthenticated users could trigger cache purging, configuration changes, and database optimization operations. After the patch, these actions require authenticated users with `manage_options` capability.

Successful exploitation allows attackers to manipulate the plugin’s cache system and configuration. Attackers can purge cached content, modify optimization settings, reset plugin options, and trigger database optimization operations. This can lead to denial of service through cache disruption, configuration tampering, and potential performance degradation. The vulnerability does not directly enable remote code execution or data exfiltration but provides unauthorized control over the caching infrastructure.