CVE-2025-24649

Vulnerability

The WordPress plugin Admin and Site Enhancements (ASE) (admin-site-enhancements) contains a missing authorization vulnerability affecting versions through 7.6.2 [1]. The flaw resides in how the plugin handles access control, allowing exploitation of incorrectly configured access control security levels. The vulnerable version range is from n/a up to and including 7.6.2 [CVE description].

Exploitation

An attacker with low-level access (such as a subscriber or contributor role) can leverage this missing authorization to trigger actions or access features that should require higher privileges [CVE description]. The attacker does not need to be authenticated as an administrator; any authenticated user with a WordPress account on the target site can attempt exploitation. The exact sequence of steps involves bypassing capability checks in the plugin's code to invoke functions intended for elevated roles.

Impact

Successful exploitation allows the attacker to perform unauthorized actions within the WordPress admin or site enhancements, leading to partial compromise of the site's access control [CVE description]. This could include altering plugin settings, manipulating content, or gaining additional permissions. The confidentiality, integrity, and availability impact is limited, with the CVSS v3.1 score of 4.3 (Medium) reflecting this [CVE description].

Mitigation

The vulnerability is fixed in version 7.6.3 and later [1]. Users should immediately update the plugin to the latest available version (8.8.0 as of the reference) to remediate the issue. No workaround is provided in the available references [1]. The plugin is not listed on the CISA KEV catalog as of the publication date.