Skip to content

ASE WordPress flaw exposes sites to privilege escalation

  • by
  • 3 min read

A critical vulnerability has been discovered in the popular WordPress plugin Admin and Site Enhancements (ASE), which has more than 100,000 active installations and affects both the free and pro versions. This flaw allows users to escalate the privilege and gain previously held administrator roles even after being downgraded to a lower role.

Users are advised to update to version 7.6.3 immediately to mitigate the risk of privilege escalation attacks.

The vulnerability, tracked as CVE-2025-24648 and CVE-2024-43333, affects ASE versions 7.6.2.1 and below. It stems from a flaw in the ‘View Admin as Role’ feature, which temporarily allows users to switch to a different role for testing purposes. Due to broken logic in role switching, a downgraded user can regain their previous, more privileged role.

“For example, when a user is initially given an Administrator role and then the role is downgraded to a Subscriber role, the user, in this case, is able to recover their previous role, which is Administrator if the “View Admin as Role” feature is enabled on the plugin,” researchers reported. The issue is particularly concerning because it does not require administrative privileges to execute, making it an attractive target for potential attackers.

This is an image of wordpress ase patchstack ss21
Sample of the patch issued in version 7.6.3 of ASE. | Source: Patchstack

The flaw is linked to improper handling of user metadata stored in the ‘_asenha_view_admin_as_original_roles’ field. When an administrator switches roles, ASE saves their original role to this metadata. The exploit occurs when the attacker, leveraging the faulty permission checks, manipulates the system to reinstate their prior privileged role.

Additionally, the affected versions of ASE fail to enforce proper nonce validation and permission verification in role resets. As a result, even a non-administrative user could exploit the flaw to regain high-level access, posing a significant security risk.

The vendor has addressed this security flaw in version 7.6.3 by introducing a fix that deletes the stored ‘_asenha_view_admin_as_original_roles’ metadata whenever a user’s role is modified. This prevents unauthorised privilege restoration. The patch also improves security checks, properly validating role restoration actions.

Last month, two critical vulnerabilities were discovered in the RealEstate plugin, affecting 32,600 websites.

In the News: Israeli spyware maker confirms US government is a customer

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of cyber security hacked breach

Case study reveals Chinese hackers spent over 300 days in US electricity grid

This is an image of iphone with apple logo

Match Group, AIDF denied Apple’s confidential antitrust data

Photo: ascannio / shutterstock. Com

X’s outage can’t be traced by researchers and Musk alike

This is an image of malware featured security

DPRK’s KoSpy spyware targets SK, India, Russia, and Middle East

This is an image of honey featured 1

Google updates Chrome Extension policy after Honey scam

This is an image of apple featured 220923

Apple patches critical zero-day exploit targeting iPhones and iPads

>