CVE-2026-23694

MEDIUM

Aruba HiSpeed Cache <3.0.5 - CSRF

Title source: llm

Description

Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform authentication and capability checks but do not verify a WordPress nonce for state-changing requests. An attacker can induce a logged-in administrator to visit a malicious webpage that submits forged requests to admin-ajax.php, resulting in unauthorized resetting of plugin settings, toggling of the WordPress WP_DEBUG configuration, or modification of cache purging behavior without the administrator’s intent.

References (2)

[Product] https://wordpress.org/plugins/aruba-hispeed-cache/

[Various Sources] https://hosting.aruba.it/en/wordpress.aspx

Scores

CVSS v4 5.1

EPSS 0.0004

EPSS Percentile 12.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Products (1)

Aruba.it/Aruba HiSpeed Cache < 3.0.5

Published Feb 23, 2026

Tracked Since Feb 23, 2026