- HPE, 2,500여 일자리 줄인다··· 유력한 원인은 '서버 매출 부진'
- 레이벤 메타가 AI 스마트 안경 시장 열었다··· 2024년 글로벌 시장 210% 성장
- They said I couldn't find a high-quality multitool for under $30 - but this one's a winner
- I compared the viral $50 earplugs with my $300 sleep earbuds - here are the results
- This Android phone that doubles as a projector will make any tech enthusiast smile
WordPress ASE Plugin Vulnerability Threatens Site Security
A privilege escalation vulnerability has been identified in the Admin and Site Enhancements (ASE) plugin for WordPress, affecting both free and pro versions up to 7.6.2.1.
The flaw allows users to regain higher-level access privileges, posing a serious security risk. The issue has been patched in version 7.6.3 and is tracked as CVE-2025-24648 and CVE-2024-43333.
The ASE plugin, with over 100,000 active installations, is designed to enhance WordPress admin workflows. The security flaw originates from the “View Admin as Role” feature, which, when enabled, improperly allows users to recover their previous role.
If an administrator downgraded a user’s access, the affected user could exploit the vulnerability to restore higher privileges, such as administrator access.
Security analysts at Patchstack discovered that the flaw was due to insufficient checks on user role restoration. Specifically, the process failed to include robust permission verification, relying only on a nonce check.
This made it possible for any authenticated user to escalate their privileges, if they had a previously higher role stored in user metadata.
“Since there [was] no proper check on the process, including a nonce check, users [were] able to reset the role of any user,” Patchstack explained.
Patchstack urged WordPress administrators to apply the latest ASE plugin update immediately, and implement the following additional recommendations:
- Disable the “View Admin as Role” feature if not necessary
- Regularly audit user roles and permissions
- Consider using security plugins or services for added protection
“It is always crucial to ensure that a user’s permission check is not solely reliant on nonce. In case the nonce is leaked somewhere, any user has access to sensitive actions and functions,” Patchstack explained.
“Along with the nonce check, a strong permission check is important to ensure a vulnerability like this one is not introduced in the codebase.”
Image credit: Primakov / Shutterstock.com
