The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
References
Configurations
No configuration.
History
06 Jul 2026, 13:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
06 Jul 2026, 09:10
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
06 Jul 2026, 08:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-06 08:16
Updated : 2026-07-06 18:37
NVD link : CVE-2026-12083
Mitre link : CVE-2026-12083
CVE.ORG link : CVE-2026-12083
JSON object : View
Products Affected
No product.
CWE
No CWE.
