CVE-2025-63030 HIGH

CVE-2025-63030: WordPress New User Approve plugin <= 3.2.3 - Cross Site Request Forgery (CSRF) vulnerability

Vendor Saad Iqbal
Product New User Approve
Weakness CWE-352 · CSRF
Published December 9, 2025
Last update April 29, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal New User Approve new-user-approve allows Cross Site Request Forgery.This issue affects New User Approve: from n/a through <= 3.2.3.

Explanation of Vulnerability in Simple Terms

02Summary

New User Approve versions 3.2.3 and earlier contain a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious webpage that, when visited by a site administrator, performs unwanted actions on the site without the admin's knowledge. The vulnerability requires the admin to click a link or visit a page controlled by the attacker. This can lead to unauthorized changes or denial of service.

What an attacker can do

03Attacker Capabilities

Trick a site admin into performing unwanted actions (like approving users or changing settings) by visiting a malicious webpage.

Potential impact on your site

04Site Impact

Admins could unknowingly approve malicious user accounts, modify plugin settings, or trigger actions that disrupt site availability.

Conditions required to exploit

05Prerequisites

Site admin must visit a webpage controlled by the attacker; no special privileges or authentication bypass needed.

Key dates

06Disclosure timeline

December 9, 2025 CVE published
April 29, 2026 Record updated