Admin and Site Enhancements (ASE) Pro < 7.6.3 – Subscriber+ Privilege Escalation | CVE 2024-43333 | Plugin Vulnerabilities

Description

The plugins are vulnerable to privilege escalation due to the plugin not properly restricting user's ability to utilize the “View Admin as Role” feature. This makes it possible for authenticated attackers, with Subscriber-level access and above, to recover access to a previous role, such as administrator, granted they had previously held a higher role. CVE-2025-24648 is a duplicate assignment of the same vulnerability.

Affects Plugins

admin-site-enhancements

Fixed in 7.6.3

admin-site-enhancements-pro

Fixed in 7.6.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5d4ad020-0b40-456b-8f8c-597c7c4ef698

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

65bae25b-d36c-4231-87d6-1ed7cfc10f5d

Timeline

Publicly Published

2025-02-03 (about 1 year ago)

Added

2025-02-13 (about 1 year ago)

Last Updated

2025-02-13 (about 1 year ago)

Other

Published

Title

Published

2017-11-12

Title

WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution

Published

2025-04-17

Title

Real Estate 7 < 3.5.3 - Unauthenticated Privilege Escalation

Published

2020-05-28

Title

bbPress < 2.6.5 - Unauthenticated Privilege Escalation when New User Registration enabled

Published

2025-01-20

Title

Easy Real Estate < 2.3.0 - Unauthenticated Privilege Escalation

Published

2025-02-28

Title

Exertio Framework < 1.3.2 - Unauthenticated Arbitrary User Password Update