WordPress Plugin Vulnerabilities

Admin and Site Enhancements (ASE) < 7.6.3 - Subscriber+ Privilege Escalation

Description

The plugin is vulnerable to Privilege Escalation due to improper access controls, making it possible for authenticated attackers with Subscriber-level access and above to elevate their privileges to that of an administrator.

Affects Plugins

Plugin icon
admin-site-enhancements
Fixed in 7.6.3

References

CVE
CVE-2025-24648
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e2ca42f3-776f-4ba4-a409-863799338c85

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
420f4067-f828-40c1-8153-be2ec98767e5

Timeline

Publicly Published
2026-01-20 (about 4 months ago)
Added
2026-05-04 (about 20 days ago)
Last Updated
2026-05-24 (about 13 hours ago)

Other

Published
Title
Published
2023-06-02
Title
Online Booking & Scheduling Calendar for WordPress by vcita < 4.5 - Subscriber+ Settings Update & Stored XSS
Published
2014-08-01
Title
Construct 1.4 - dl-skin.php _mysite_delete_skin_zip Parameter Absolute Path Traversal Remote Directory Deletion
Published
2020-02-05
Title
Events Manager < 5.9.7.2 - CSV Injection
Published
2019-10-25
Title
Email Templates < 1.3.1 - HTML Injection
Published
2023-09-10
Title
Modula < 2.7.5 - Incomplete Authorization via 'save_image' and 'save_images'