CVE-2026-1924
Received Received - Intake
CSRF in Aruba HiSpeed Cache Plugin Allows Settings Reset

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: Wordfence

Description
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1924
EUVD
EUVD-2026-21250
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aruba hisped_cache to 3.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows an attacker to reset all settings of the Aruba HiSpeed Cache plugin to their default values without authentication.

The impact is limited to integrity since the attacker cannot directly access or modify data but can disrupt the plugin's configuration.

This could lead to degraded website performance or loss of custom caching configurations, potentially affecting site availability or user experience.

Executive Summary

The Aruba HiSpeed Cache plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 3.0.4.

This vulnerability exists because the function ahsc_ajax_reset_options() lacks nonce verification, which is a security measure to confirm that requests are legitimate.

As a result, an unauthenticated attacker can trick a site administrator into performing an action, such as clicking a malicious link, which causes all plugin settings to be reset to their default values without the administrator's explicit consent.

Mitigation Strategies

To mitigate this vulnerability, you should update the Aruba HiSpeed Cache plugin for WordPress to a version later than 3.0.4 where the nonce verification issue in the ahsc_ajax_reset_options() function is fixed.

Additionally, avoid clicking on suspicious links or performing actions from untrusted sources that could trigger a forged request.

Compliance Impact

The vulnerability allows unauthenticated attackers to reset all plugin settings to their default values by tricking a site administrator into performing an action. While this can lead to potential integrity issues, there is no direct indication from the provided information that it results in unauthorized data disclosure or loss of confidentiality.

Given the nature of the vulnerability (Cross-Site Request Forgery affecting plugin settings), it may indirectly impact compliance with standards like GDPR or HIPAA if security controls are weakened or configurations protecting personal data are reset. However, no explicit connection to compliance violations is stated in the provided context.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1924. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart