Back to overview

CVE-2026-12083

HIGH Exploitation: PoC
8.1
CVSS 3.1
Description
The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.

Metadata

CVE ID
CVE-2026-12083
State
PUBLISHED
Assigner
WPScan
Reserved
2026-06-12 13:04 UTC
Published
2026-07-06 06:00 UTC
Last updated
2026-07-06 12:00 UTC
Vendor / Product
Unknown / Admin and Site Enhancements (ASE)
Sources
cve.org  ·  NVD

Severity & Metrics

8.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
total
Affected products (2)
VendorProductPlatformVersions
Unknown Admin and Site Enhancements (ASE) 7.6.3 < 8.8.4
Unknown admin-site-enhancements-pro 7.6.3 < 8.8.4
Weakness (CWE)
CWESourceDescription
cna CWE-269 Improper Privilege Management
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.1 HIGH 3.1 adp CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Back to overview