Vulnerabilities and security researches fornew-user-approve new-user-approve

Feb 27, 2026

CVE, Research URL: CVE-2025-69063
Home page URL: Security reports for New User Approve
Application: New User Approve
Date: Feb 20, 2026
Research Description: Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.0.
Affected versions: max 3.2.0.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-12770
Home page URL: Security reports for New User Approve
Application: New User Approve
Date: Nov 19, 2025
Research Description: The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable information (PII), including usernames and email addresses of users with various approval statuses via the Zapier REST API endpoints, by exploiting PHP type juggling with the api_key parameter set to "0" on sites where the Zapier API key has not been configured.
Affected versions: max 3.1.0.
Status: vulnerable

Dec 15, 2024

CVE, Research URL: CVE-2024-54323
Home page URL: Security reports for New User Approve
Application: New User Approve
Date: Dec 13, 2024
Research Description: Missing Authorization vulnerability in WPExpertsio New User Approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through 2.6.2.
Affected versions: max 2.6.2.
Status: vulnerable

Nov 15, 2024

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for New User Approve
Application: New User Approve
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 2.1.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2022-1625
Home page URL: Security reports for New User Approve
Application: New User Approve
Date: Jun 27, 2022
Research Description: The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites.
Affected versions: max 2.1.
Status: vulnerable

CVE, Research URL: CVE-2023-50902
Home page URL: Security reports for New User Approve
Application: New User Approve
Date: Dec 29, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in WPExpertsio New User Approve.This issue affects New User Approve: from n/a through 2.5.1.
Affected versions: max 2.5.2.
Status: vulnerable

CVE, Research URL: a914ab360f5373364b002ff95df35db62d4f7ca4
Home page URL: Security reports for New User Approve
Application: New User Approve
Date: Feb 28, 2022
Research Description: New User Approve [new-user-approve] < 2.4.1 WordPress New User Approve plugin <= 2.0 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress New User Approve plugin (versions <= 2.0).
Affected versions: max 2.4.1.
Status: vulnerable