Cross-Site Request Forgery Vulnerability in Aruba HiSpeed Cache by Aruba
CVE-2026-23694

5.1MEDIUM

Key Information:

Vendor: WordPress
Status: Aruba Hispeed Cache
Vendor: CVE Published:; 23 February 2026

What is CVE-2026-23694?

The Aruba HiSpeed Cache plugin for WordPress suffers from a cross-site request forgery (CSRF) vulnerability in versions prior to 3.0.5. This flaw affects several administrative AJAX actions that, while performing authentication and capability checks, fail to validate a WordPress nonce for state-changing requests. An attacker could trick a logged-in administrator into visiting a malicious webpage that sends forged requests to admin-ajax.php. This exploitation can lead to unauthorized changes, such as resetting plugin settings, altering the WP_DEBUG configuration, or adjusting cache purging behavior without the administrator's consent.

Affected Version(s)

Aruba HiSpeed Cache 0 < 3.0.5

References

https://wordpress.org/plugins/aruba-hispeed-cache/

productpatch

https://hosting.aruba.it/en/wordpress.aspx

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 23, 2026
Vulnerability Reserved
Jan 14, 2026

Credit

Rahul Karne

VulnCheck

CVE-2026-23694 Data

JSON