Description
Incorrect Privilege Assignment vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Privilege Escalation.This issue affects Admin and Site Enhancements (ASE): from n/a through <= 7.6.2.1.
Published: 2025-02-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an incorrect privilege assignment flaw that permits a user with a lower role in WordPress to gain elevated capabilities. The deficiency is classified as CWE‑266, indicating improper permission assignment. An attacker who can authenticate to the WordPress admin can exploit the flaw to obtain higher privileges and perform actions beyond their assigned scope.

Affected Systems

The Bowo Admin and Site Enhancements (ASE) plugin for WordPress is affected from the initial release through version 7.6.2.1. Any WordPress site that has this plugin installed in a vulnerable version is at risk; administrators should verify the installed plugin version and confirm it is not one of the releases listed here.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high risk, yet the EPSS score of <1% indicates a low current probability of exploitation. The attack vector is inferred to require an authenticated user who can access the backend, as the flaw involves assigning higher privileges within the administration interface. The vulnerability is not listed in the CISA KEV catalog, but due to the potential for privilege escalation, timely action is recommended.

Generated by OpenCVE AI on May 2, 2026 at 09:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ASE plugin to a version newer than 7.6.2.1 or uninstall it if it is unnecessary for site functionality.
  • Re‑evaluate user roles in WordPress and remove the permission to manage plugins from users that do not require it.
  • Implement or strengthen role‑based access controls to ensure that only administrators can assign or modify capability sets within the site.

Generated by OpenCVE AI on May 2, 2026 at 09:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3846 Incorrect Privilege Assignment vulnerability in wpase.com Admin and Site Enhancements (ASE) allows Privilege Escalation. This issue affects Admin and Site Enhancements (ASE): from n/a through 7.6.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in wpase.com Admin and Site Enhancements (ASE) allows Privilege Escalation. This issue affects Admin and Site Enhancements (ASE): from n/a through 7.6.2.1. Incorrect Privilege Assignment vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Privilege Escalation.This issue affects Admin and Site Enhancements (ASE): from n/a through <= 7.6.2.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00048}

 epss

{'score': 0.0006}

Tue, 04 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 04 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in wpase.com Admin and Site Enhancements (ASE) allows Privilege Escalation. This issue affects Admin and Site Enhancements (ASE): from n/a through 7.6.2.1.
Title WordPress Admin and Site Enhancements (ASE) Plugin <= 7.6.2.1 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:31.279Z

Reserved: 2025-01-23T14:51:41.777Z

Link: CVE-2025-24648

cve-icon Vulnrichment

Updated: 2025-02-04T15:07:53.431Z

cve-icon NVD

Status : Deferred

Published: 2025-02-04T15:15:23.460

Modified: 2026-04-23T15:25:12.780

Link: CVE-2025-24648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:30:20Z

Weaknesses