Description
The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
Published: 2026-07-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Admin and Site Enhancements plugin allows attackers to restore a previously demoted administrator account without any form of authentication or authorization. This flaw arises because the role-restoration handler lacks proper access control and nonce validation, enabling an unauthenticated user to elevate privileges and gain full administrative rights over the WordPress site.

Affected Systems

WordPress installations running the Admin and Site Enhancements (ASE) plugin or the admin-site-enhancements-pro variant with a version lower than 8.8.4 are at risk. The vulnerability exists in all prior releases up to, but not including, 8.8.4.

Risk and Exploitability

The vulnerability is highly impactful, with a CVSS score of 8.1. Its EPSS score of less than 1% indicates that exploitation attempts are currently rare, and the flaw is not listed in the CISA KEV catalog. An attacker can trigger the role-restoration endpoint simply by sending an unauthenticated HTTP request containing a reset-for parameter, making the exploit straightforward. Based on the description, it is inferred that no additional privileges are required to execute the attack.

Generated by OpenCVE AI on July 6, 2026 at 17:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ASE or admin-site-enhancements-pro plugin to version 8.8.4 or later.
  • If an upgrade is not immediately possible, block or remove the role-restoration endpoint that processes the reset-for parameter using server-side rules or firewall filters.
  • Implement proper authentication, authorization, and nonce checks around any role-management functionality, following best practices for access control as identified by CWE-284.

Generated by OpenCVE AI on July 6, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Mon, 06 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
Title Admin and Site Enhancements < 8.8.4 - Unauthenticated Administrator-Role Restoration via reset-for Parameter
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-07-06T12:00:32.159Z

Reserved: 2026-06-12T13:04:18.229Z

Link: CVE-2026-12083

cve-icon Vulnrichment

Updated: 2026-07-06T12:00:28.985Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:30:16Z

Weaknesses