CVE-2026-32423

The vulnerability is a missing authorization issue in the Admin and Site Enhancements (ASE) plugin for WordPress, affecting versions up to and including 8.4.0. The plugin fails to properly verify access control security levels, allowing exploitation of incorrectly configured access controls [1].

Attackers can exploit this broken access control without needing authentication, potentially executing actions that should require higher privileges. The vulnerability is considered medium severity with a CVSS v3 score of 5.4, and it is known to be used in mass-exploit campaigns targeting thousands of websites regardless of site size or popularity [1].

Successful exploitation could allow an attacker to perform unauthorized actions within the WordPress admin interface, such as modifying settings or accessing restricted functionality. The impact is limited to low severity, but the vulnerability is actively exploited in the wild [1].

The vendor has released version 8.4.1 which resolves the issue. Users are strongly advised to update immediately update to this version or enable auto-updates for vulnerable plugins. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].