- Technology that changed us: The 2000s, from iPhone to Twitter
- I still recommend this older Samsung phone to most people - here's why
- Microsoft Build kicks off May 19 - here's what we know so far
- OpenAI eyes the wearables business: Robots, headsets, watches and a whole lot more
- Can phones replace laptops? This underrated Samsung feature settled that debate for me
WordPress ASE Plugin Vulnerability Threatens Site Security
A privilege escalation vulnerability has been identified in the Admin and Site Enhancements (ASE) plugin for WordPress, affecting both free and pro versions up to 7.6.2.1.
The flaw allows users to regain higher-level access privileges, posing a serious security risk. The issue has been patched in version 7.6.3 and is tracked as CVE-2025-24648 and CVE-2024-43333.
The ASE plugin, with over 100,000 active installations, is designed to enhance WordPress admin workflows. The security flaw originates from the “View Admin as Role” feature, which, when enabled, improperly allows users to recover their previous role.
If an administrator downgraded a user’s access, the affected user could exploit the vulnerability to restore higher privileges, such as administrator access.
Security analysts at Patchstack discovered that the flaw was due to insufficient checks on user role restoration. Specifically, the process failed to include robust permission verification, relying only on a nonce check.
This made it possible for any authenticated user to escalate their privileges, if they had a previously higher role stored in user metadata.
“Since there [was] no proper check on the process, including a nonce check, users [were] able to reset the role of any user,” Patchstack explained.
Patchstack urged WordPress administrators to apply the latest ASE plugin update immediately, and implement the following additional recommendations:
- Disable the “View Admin as Role” feature if not necessary
- Regularly audit user roles and permissions
- Consider using security plugins or services for added protection
“It is always crucial to ensure that a user’s permission check is not solely reliant on nonce. In case the nonce is leaked somewhere, any user has access to sensitive actions and functions,” Patchstack explained.
“Along with the nonce check, a strong permission check is important to ensure a vulnerability like this one is not introduced in the codebase.”
Image credit: Primakov / Shutterstock.com
