CVE-2026-23694
Received Received - Intake
CSRF Vulnerability in Aruba HiSpeed Cache WordPress Plugin

Publication date: 2026-02-23

Last updated on: 2026-02-23

Assigner: VulnCheck

Description
Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform authentication and capability checks but do not verify a WordPress nonce for state-changing requests. An attacker can induce a logged-in administrator to visit a malicious webpage that submits forged requests to admin-ajax.php, resulting in unauthorized resetting of plugin settings, toggling of the WordPress WP_DEBUG configuration, or modification of cache purging behavior without the administrator’s intent.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23694
EUVD
EUVD-2026-7494
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aruba aruba_hispeed_cache to 3.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23694 is a cross-site request forgery (CSRF) vulnerability in the Aruba HiSpeed Cache WordPress plugin versions prior to 3.0.5. The vulnerability affects multiple administrative AJAX actions where the plugin performs authentication and capability checks but fails to verify a WordPress nonce for state-changing requests. This means an attacker can trick a logged-in administrator into visiting a malicious webpage that sends forged requests to the plugin's admin-ajax.php handlers. As a result, the attacker can cause unauthorized changes such as resetting plugin settings, toggling the WordPress WP_DEBUG configuration, or modifying cache purging behavior without the administrator's consent.

Impact Analysis

This vulnerability can lead to unauthorized changes in your WordPress site's caching plugin settings if an attacker tricks an administrator into visiting a malicious site. Specifically, it can cause the plugin's settings to be reset, debugging mode to be toggled on or off, or cache purging behavior to be altered without your knowledge or approval. These unauthorized changes can disrupt website performance, potentially expose debugging information, or affect how cached content is managed, which may degrade site functionality or security.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-23694 vulnerability in the Aruba HiSpeed Cache WordPress plugin, you should immediately update the plugin to version 3.0.5 or later, as versions prior to 3.0.5 contain the cross-site request forgery (CSRF) vulnerability.

Additionally, consider restricting access to administrative AJAX actions and ensure that WordPress nonces are properly verified for state-changing requests to prevent unauthorized actions.

If updating immediately is not possible, temporarily disabling the plugin or limiting administrator access to trusted users can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23694. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart