Impact
Unverified input in the ASE Pro plugin allows attackers to inject malicious JavaScript code. The flaw is a classic reflected XSS that does not require authentication, meaning any visitor to the vulnerable site can trigger the payload. Successful exploitation would let an attacker run arbitrary scripts in the victim's browser, potentially hijacking sessions, defacing the site, or stealing sensitive data, leading to significant confidentiality, integrity, and availability impact.
Affected Systems
The vulnerability affects the WordPress plugin Admin and Site Enhancements (ASE) Pro, specifically all releases up to and including version 8.8.5. Any website running the plugin in those versions is exposed, regardless of the site’s user role levels.
Risk and Exploitability
The flaw carries a CVSS score of 9.6, indicating a critical severity. With no authentication required and the elasticity of web browsers, an attacker could target any site through crafted URLs or injected content. The EPSS score is not available, so the current exploitation probability is unknown, but the high CVSS suggests that if discovered attackers will likely use it. The vulnerability is not listed in the CISA KEV catalog.
OpenCVE Enrichment