CVE-2026-23694

The Aruba HiSpeed Cache WordPress plugin (versions before 3.0.5) contains a cross-site request forgery (CSRF) vulnerability affecting several administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge correctly enforce authentication and capability checks but fail to verify a WordPress nonce for state-changing requests. This omission means that a logged-in administrator can be tricked into performing unintended actions without their knowledge [[1]](#ref1) [[2]](#ref2).

Exploitation

An attacker can craft a malicious webpage containing forged requests to admin-ajax.php. By inducing an authenticated administrator to visit that page (e.g., via social engineering or a compromised site), the forged requests will be executed with the administrator's privileges. No additional authentication or network position is required beyond the admin being logged into a vulnerable WordPress instance running the plugin [[1]](#ref1) [[2]](#ref2).

Impact

Successful exploitation allows an attacker to reset the plugin's settings to defaults, toggle the WordPress WP_DEBUG configuration, or modify the cache purging behavior. This could lead to degraded site performance, exposure of debug information (potentially revealing sensitive data), or disruption of caching operations that affect site availability and speed [[1]](#ref1) [[2]](#ref2).

Mitigation

The vulnerability has been addressed in version 3.0.5 of the Aruba HiSpeed Cache plugin. Users are strongly advised to update to this latest version immediately. Administrators should also be cautious about clicking untrusted links while logged into the WordPress admin panel [[1]](#ref1) [[2]](#ref2).