CVE-2026-12083 PUBLISHED

Admin and Site Enhancements < 8.8.4 - Unauthenticated Administrator-Role Restoration via reset-for Parameter

Assigner: WPScan
Reserved: 12.06.2026 Published: 06.07.2026 Updated: 06.07.2026

The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.

Product Status

Vendor Unknown
Product Admin and Site Enhancements (ASE)
Versions Default: unaffected
  • affected from 7.6.3 to 8.8.4 (excl.)
Vendor Unknown
Product admin-site-enhancements-pro
Versions Default: unaffected
  • affected from 7.6.3 to 8.8.4 (excl.)

Credits

  • Revanth Hari Narayana Matte finder
  • WPScan coordinator

References

Problem Types

  • CWE-269 Improper Privilege Management CWE