Admin and Site Enhancements (ASE) < 7.5.2 – Authenticated Stored Cross-Site Scripting via SVG | CVE 2024-10790 | Plugin Vulnerabilities

Description

The Admin and Site Enhancements (ASE) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This feature must be enabled, and for specific roles in order to be exploitable.

Affects Plugins

admin-site-enhancements

Fixed in 7.5.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/96e12fa5-eba4-4f69-ae3a-7e460bfa9e5d

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

d83ceff5-0990-42b8-9e75-2c7fe4bc9007

Timeline

Publicly Published

2024-11-11 (about 1 year ago)

Added

2024-11-11 (about 1 year ago)

Last Updated

2024-11-12 (about 1 year ago)

Other

Published

Title

Published

2024-04-04

Title

Happy Addons for Elementor < 3.10.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title HTML Tag

Published

2014-08-01

Title

Custom Tables 3.4.4 - iframe.php key Parameter XSS

Published

2024-06-18

Title

Easy Table of Contents < 2.0.67 - Editor+ Stored XSS

Published

2015-05-06

Title

ClickBank Affiliate Ads < 1.35 - Admin+ Stored Cross-Site Scripting

Published

2025-04-01

Title

Lightweight and Responsive Youtube Embed <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting