CVE-2026-12083

The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
Configurations

No configuration.

History

06 Jul 2026, 13:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.1

06 Jul 2026, 09:10

Type Values Removed Values Added
Summary
  • (es) El plugin de WordPress Admin and Site Enhancements (ASE), en versiones anteriores a la 8.8.4, y el plugin admin-site-enhancements-pro, en versiones anteriores a la 8.8.4, no realizan comprobaciones de autenticación, autorización ni de nonce en el gestor de solicitudes de restauración de roles, lo que permite a atacantes no autenticados restaurar una cuenta de administrador previamente degradada a su rol de administrador. Se trata de una corrección incompleta de los vulnerabilidades CVE-2024-43333 y CVE-2025-24648, que solo resolvió el problema para una de las rutas de degradación que expone la API de roles de WordPress.

06 Jul 2026, 08:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-06 08:16

Updated : 2026-07-06 18:37


NVD link : CVE-2026-12083

Mitre link : CVE-2026-12083

CVE.ORG link : CVE-2026-12083


JSON object : View

Products Affected

No product.

CWE

No CWE.