WP-Safety

New User Approve Security & Risk Analysis

wordpress.org/plugins/new-user-approve

WordPress user approval plugin to moderate registrations. Approve or deny real users and prevent fake signups to control who registers on site.

20K active installs v3.2.4 PHP + WP 4.0+ Updated Feb 10, 2026
registrationuser-approvaluser-managementuser-registrationusers
86
A · Safe
CVEs total8
Unpatched0
Last CVEFeb 11, 2026
Plugin page Download
Safety Verdict

Is New User Approve Safe to Use in 2026?

Generally Safe

Score 86/100

New User Approve has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Feb 11, 2026Updated 1mo ago
Risk Assessment

The 'new-user-approve' plugin v3.2.4 exhibits a mixed security posture. On the positive side, the code demonstrates strong adherence to secure coding practices with an exceptionally high percentage of SQL queries using prepared statements and output escaping. Nonce and capability checks are also present in a reasonable number of places, indicating an awareness of common WordPress security vulnerabilities. Taint analysis shows no critical or high severity unsanitized paths, which is a very positive sign.

However, significant concerns arise from the plugin's attack surface and its historical vulnerability record. A notable 15 out of 41 REST API routes lack permission callbacks, exposing these endpoints to potential unauthorized access and manipulation. Furthermore, the plugin has a history of 8 known CVEs, including one critical and one high-severity vulnerability in the past. While there are currently no unpatched vulnerabilities, this history suggests a recurring pattern of security weaknesses. Common vulnerability types like Missing Authorization, Exposure of Sensitive Information, CSRF, and XSS point to a need for more robust access control and input validation across the plugin's functionalities.

In conclusion, while the current version of 'new-user-approve' benefits from good internal coding practices like prepared statements and output escaping, the exposed REST API routes and the plugin's historical vulnerability patterns are significant risk factors. The lack of proper authorization on several REST API endpoints is a critical area of concern that could lead to unauthorized actions. Users should be cautious, and developers should prioritize patching these exposed endpoints and thoroughly reviewing the codebase for similar authorization flaws to improve the plugin's overall security.

Key Concerns

  • REST API routes without permission callbacks
  • History of 1 critical CVE
  • History of 1 high CVE
  • Bundled outdated library (Freemius v1.0)
Vulnerabilities
8

New User Approve Security Vulnerabilities

CVEs by Year

2 CVEs in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
2 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
6

8 total CVEs

CVE-2025-69063medium · 5.3Missing Authorization

New User Approve <= 3.2.0 - Missing Authorization

Feb 11, 2026 Patched in 3.2.1 (7d)
CVE-2026-0832high · 7.3Missing Authorization

New User Approve <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure

Jan 27, 2026 Patched in 3.2.3 (1d)
CVE-2025-12770medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

New User Approve <= 3.0.9 - Unauthenticated Sensitive Information Disclosure via Type Juggling

Nov 18, 2025 Patched in 3.1.0 (1d)
CVE-2025-63030medium · 4.3Cross-Site Request Forgery (CSRF)

New User Approve <= 3.2.3 - Cross-Site Request Forgery

Nov 8, 2025 Patched in 3.2.4 (111d)
CVE-2024-54323medium · 4.3Missing Authorization

New User Approve <= 2.6.2 - Missing Authorization

Dec 11, 2024 Patched in 2.6.4 (8d)
CVE-2023-50902medium · 6.1Cross-Site Request Forgery (CSRF)

New User Approve <= 2.5.1 - Cross-Site Request Forgery via admin_notices

Dec 26, 2023 Patched in 2.5.2 (28d)
CVE-2022-1625critical · 9.6Cross-Site Request Forgery (CSRF)

New User Approve <= 2.4 - Cross-Site Request Forgery

Jun 1, 2022 Patched in 2.4.1 (601d)
WF-b8e3f779-9d25-4525-a827-8ce743bd889e-new-user-approvemedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

New User Approve <= 2.4 - Reflected Cross-Site Scripting

May 30, 2022 Patched in 2.4.1 (603d)
Code Analysis
Analyzed Mar 16, 2026

New User Approve Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
18 prepared
Unescaped Output
2
157 escaped
Nonce Checks
32
Capability Checks
14
File Operations
4
External Requests
4
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

95% prepared19 total queries

Output Escaping

99% escaped159 total outputs
Data Flows
All sanitized

Data Flow Analysis

6 flows
user_table (includes\admin-approve.php:260)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
15 unprotected

New User Approve Attack Surface

Entry Points41
Unprotected15

REST API Routes 41

POST/wp-json/nua-request/v1/save-invitation-codesincludes\end-points\invitation-code-api.php:31
GET/wp-json/nua-request/v1/get-invitation-settingsincludes\end-points\invitation-code-api.php:40
GET/wp-json/nua-request/v1/update-invitation-settingsincludes\end-points\invitation-code-api.php:49
GET/wp-json/nua-request/v1/get-nua-codesincludes\end-points\invitation-code-api.php:58
GET/wp-json/nua-request/v1/get-remaining-usesincludes\end-points\invitation-code-api.php:67
GET/wp-json/nua-request/v1/get-total-usesincludes\end-points\invitation-code-api.php:76
GET/wp-json/nua-request/v1/get-expiryincludes\end-points\invitation-code-api.php:85
GET/wp-json/nua-request/v1/get-statusincludes\end-points\invitation-code-api.php:94
GET/wp-json/nua-request/v1/get-invited-usersincludes\end-points\invitation-code-api.php:103
POST/wp-json/nua-request/v1/update-invitation-codeincludes\end-points\invitation-code-api.php:112
POST/wp-json/nua-request/v1/delete-invCodeincludes\end-points\invitation-code-api.php:121
GET/wp-json/nua-request/v1/connect-appincludes\end-points\mobile-api.php:18
GET/wp-json/nua-request/v1/disconnect-appincludes\end-points\mobile-api.php:24
GET/wp-json/nua-request/v1/check-licenseincludes\end-points\mobile-api.php:30
GET/wp-json/nua-request/v1/get-dashboard-dataincludes\end-points\mobile-api.php:36
GET/wp-json/nua-request/v1/get-all-requestsincludes\end-points\mobile-api.php:42
GET/wp-json/nua-request/v1/get-user-detailsincludes\end-points\mobile-api.php:48
GET/wp-json/nua-request/v1/user-approveincludes\end-points\mobile-api.php:54
GET/wp-json/nua-request/v1/user-denyincludes\end-points\mobile-api.php:60
GET/wp-json/nua-request/v1/general-settingsincludes\end-points\settings-api.php:36
GET/wp-json/nua-request/v1/help-settingsincludes\end-points\settings-api.php:55
GET/wp-json/nua-request/v1/recent-usersincludes\end-points\users-api.php:26
POST/wp-json/nua-request/v1/update-userincludes\end-points\users-api.php:35
GET/wp-json/nua-request/v1/get-all-usersincludes\end-points\users-api.php:44
GET/wp-json/nua-request/v1/get-approved-usersincludes\end-points\users-api.php:53
GET/wp-json/nua-request/v1/get-pending-usersincludes\end-points\users-api.php:62
GET/wp-json/nua-request/v1/get-denied-usersincludes\end-points\users-api.php:71
GET/wp-json/nua-request/v1/get-approved-user-rolesincludes\end-points\users-api.php:80
GET/wp-json/nua-request/v1/get-user-rolesincludes\end-points\users-api.php:89
GET/wp-json/nua-request/v1/get-activity-logincludes\end-points\users-api.php:98
POST/wp-json/nua-request/v1/update-user-roleincludes\end-points\users-api.php:107
GET/wp-json/nua-request/v1/get-api-keyincludes\end-points\users-api.php:116
POST/wp-json/nua-request/v1/update-api-keyincludes\end-points\users-api.php:125
GET/wp-json/nua-request/v1/get-all-statuses-usersincludes\end-points\users-api.php:134
GET/wp-json/nua-zapier/v1/authincludes\zapier\includes\rest-api.php:44
GET/wp-json/nua-zapier/v1/user-approvedincludes\zapier\includes\rest-api.php:51
GET/wp-json/nua-zapier/v1/user-deniedincludes\zapier\includes\rest-api.php:57
GET/wp-json/nua-zapier/v1/user-invcodeincludes\zapier\includes\rest-api.php:63
GET/wp-json/nua-zapier/v1/user-pendingincludes\zapier\includes\rest-api.php:69
GET/wp-json/nua-zapier/v1/user-whitelistedincludes\zapier\includes\rest-api.php:75
GET/wp-json/nua-zapier/v1/user-approved-via-roleincludes\zapier\includes\rest-api.php:81
WordPress Hooks 89
actionadmin_menuincludes\admin-approve.php:45
actionadmin_menuincludes\admin-approve.php:46
actionadmin_menuincludes\admin-approve.php:51
actionadmin_menuincludes\admin-approve.php:52
actionadmin_initincludes\admin-approve.php:54
actionadmin_noticesincludes\admin-approve.php:55
actionadmin_initincludes\admin-approve.php:56
actionadmin_footerincludes\admin-approve.php:57
actioninitincludes\email-tags.php:258
actionnua_add_email_tagsincludes\email-tags.php:348
actionrest_api_initincludes\end-points\invitation-code-api.php:26
actionrest_api_initincludes\end-points\mobile-api.php:13
actionnua_app_push_notifincludes\end-points\mobile-api.php:14
actionrest_api_initincludes\end-points\settings-api.php:31
actionrest_api_initincludes\end-points\users-api.php:20
filternua_disable_welcome_emailincludes\invitation-code.php:53
actionregister_formincludes\invitation-code.php:65
filterregister_postincludes\invitation-code.php:69
filterwoocommerce_register_postincludes\invitation-code.php:75
filternew_user_approve_default_statusincludes\invitation-code.php:82
actionwoocommerce_register_formincludes\invitation-code.php:88
actionum_after_form_fieldsincludes\invitation-code.php:93
actionum_submit_form_errors_hook__registrationincludes\invitation-code.php:99
actionum_submit_form_errors_hook__profileincludes\invitation-code.php:105
actionum_submit_form_errors_hook_loginincludes\invitation-code.php:111
actionnua_invited_userincludes\invitation-code.php:117
actionuwp_template_fieldsincludes\invitation-code.php:124
filteruwp_validate_fields_beforeincludes\invitation-code.php:130
filternew_user_approve_pending_messageincludes\invitation-code.php:1059
actionmepr-product-registration-metaboxincludes\memberpress.php:3
actionmepr-membership-save-metaincludes\memberpress.php:39
filtermepr-admin-members-colsincludes\memberpress.php:78
actionmepr_members_list_table_rowincludes\memberpress.php:144
actionadmin_headincludes\memberpress.php:146
actionmemberpress_page_memberpress-membersincludes\memberpress.php:157
filternew_user_approve_show_membership_noticeincludes\plugins.php:17
actionload-users.phpincludes\user-list.php:33
actionrestrict_manage_usersincludes\user-list.php:34
actionpre_user_queryincludes\user-list.php:40
actionadmin_footer-users.phpincludes\user-list.php:41
actionload-users.phpincludes\user-list.php:42
actionadmin_noticesincludes\user-list.php:43
actionshow_user_profileincludes\user-list.php:44
actionedit_user_profileincludes\user-list.php:45
actionedit_user_profile_updateincludes\user-list.php:46
actionadmin_menuincludes\user-list.php:50
filteruser_row_actionsincludes\user-list.php:53
filtermanage_users_columnsincludes\user-list.php:59
filtermanage_users_custom_columnincludes\user-list.php:60
actionrest_api_initincludes\zapier\includes\rest-api.php:35
actionnew_user_approve_user_approvedincludes\zapier\includes\user.php:32
actionnew_user_approve_user_deniedincludes\zapier\includes\user.php:33
filternew_user_approve_default_statusincludes\zapier\includes\user.php:34
actionnua_invited_userincludes\zapier\includes\user.php:40
actionnua_whitelisted_usersincludes\zapier\includes\user.php:46
actionrole_base_approval_completedincludes\zapier\includes\user.php:52
actionadmin_headpw-new-user-approve.php:44
actionwp_loadedpw-new-user-approve.php:45
actionrightnow_endpw-new-user-approve.php:46
actionuser_registerpw-new-user-approve.php:47
actionnew_user_approve_approve_userpw-new-user-approve.php:48
actionnew_user_approve_deny_userpw-new-user-approve.php:49
actiondeleted_userpw-new-user-approve.php:50
actionadmin_enqueue_scriptspw-new-user-approve.php:51
actionregister_postpw-new-user-approve.php:53
actionwoocommerce_created_customerpw-new-user-approve.php:54
actionlostpassword_postpw-new-user-approve.php:55
actionuser_registerpw-new-user-approve.php:56
actionuser_registerpw-new-user-approve.php:57
actionnew_user_approve_approve_userpw-new-user-approve.php:58
actionnew_user_approve_deny_userpw-new-user-approve.php:59
actionnew_user_approve_deny_userpw-new-user-approve.php:60
actionadmin_initpw-new-user-approve.php:61
actionwp_loginpw-new-user-approve.php:62
filterwp_authenticate_userpw-new-user-approve.php:63
filterregistration_errorspw-new-user-approve.php:64
filterlogin_messagepw-new-user-approve.php:65
filternew_user_approve_validate_status_updatepw-new-user-approve.php:66
filtershake_error_codespw-new-user-approve.php:67
filterwoocommerce_registration_auth_new_customerpw-new-user-approve.php:68
actionwoocommerce_checkout_order_processedpw-new-user-approve.php:69
actionadmin_menupw-new-user-approve.php:70
actionplugins_loadedpw-new-user-approve.php:71
filterpmpro_setup_new_userpw-new-user-approve.php:73
actionpmpro_after_checkoutpw-new-user-approve.php:74
actionthe_contentpw-new-user-approve.php:75
filterwoocommerce_email_recipient_customer_new_accountpw-new-user-approve.php:669
filterwp_mail_content_typepw-new-user-approve.php:702
filterwoocommerce_email_enabled_customer_new_accountpw-new-user-approve.php:822
Maintenance & Trust

New User Approve Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 10, 2026
PHP min version
Downloads847K

Community Trust

Rating86/100
Number of ratings130
Active installs20K
Alternatives

New User Approve Alternatives

WebDesk Approval Manager

WebDesk Approval Manager

webdesk-approval-manager

A
100

A WordPress plugin for managing customer approval workflows, dynamic frontend forms, and customer approval/rejection with email notifications.

0 No CVEs
Fake User Detector

Fake User Detector

fake-user-detector

A
100

Detect and flag suspicious existing user accounts using simple checks to help clean up fake or low-quality registrations.

30 No CVEs
User Approval Manager

User Approval Manager

user-approval-manager

A
100

Requires administrator approval before new users can log in. Sends email notifications to admins and users during the approval process.

20 No CVEs
IQ Authorization

IQ Authorization

registration-and-authorization

A
85

Advanced form of authorization and registration of your users

10 No CVEs
Subscription System

Subscription System

subscription-system

A
100

A powerful subscription management system for WordPress that allows users to register and login through customizable forms.

0 No CVEs
Developer Profile

New User Approve Developer Profile

Saad Iqbal

84 plugins · 1.4M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
287 days
View full developer profile
Detection Fingerprints

How We Detect New User Approve

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/new-user-approve/css/style.css/wp-content/plugins/new-user-approve/css/style-rtl.css/wp-content/plugins/new-user-approve/js/main.js
Version Parameters
new-user-approve/css/style.css?ver=new-user-approve/css/style-rtl.css?ver=new-user-approve/js/main.js?ver=

HTML / DOM Fingerprints

CSS Classes
nua-section-titlenua-cardnua-card-bodynua-card-headernua-card-titlenua-card-descriptionnua-card-actionsnua-button-primary+49 more
HTML Comments
<!-- New User Approve Plugin --><!-- END New User Approve Plugin -->
Data Attributes
data-nua-setting
JS Globals
window.nuaApproveSettingsNUA_AJAX_URLNUA_REST_URLNUA_VERSION
REST Endpoints
/wp-json/new-user-approve/v1/settings/wp-json/new-user-approve/v1/users/wp-json/new-user-approve/v1/invitations
Shortcode Output
[new_user_approve_form][new_user_approve_registration_form][new_user_approve_login_form][new_user_approve_pending_message]
FAQ

Frequently Asked Questions about New User Approve