CVE-2026-12083
HIGH Exploitation: PoC
8.1
CVSS 3.1
Description
The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
Metadata
Severity & Metrics
8.1
HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Affected products (2)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Unknown | Admin and Site Enhancements (ASE) | — | 7.6.3 < 8.8.4 |
| Unknown | admin-site-enhancements-pro | — | 7.6.3 < 8.8.4 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| — | cna | CWE-269 Improper Privilege Management |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 8.1 | HIGH | 3.1 | adp | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |