Skip to main content

ASE Pro CVE-2026-57625

| EUVDEUVD-2026-41279 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-r269-6x8w-gh3v
9.6
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.2 HIGH

Unauthenticated network XSS needing victim interaction (UI:R) with scope change into the admin origin; high confidentiality via session theft, limited integrity, no direct availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:02 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Admin and Site Enhancements (ASE) Pro <= 8.8.5 versions.

AnalysisAI

Stored/reflected cross-site scripting in the Admin and Site Enhancements (ASE) Pro WordPress plugin (versions 8.8.5 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser once they view the affected page or follow a crafted link. Because the flaw requires no authentication and carries a scope-changing CVSS 3.1 score of 9.6, a single successful lure can lead to admin session hijacking and full site takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running ASE Pro <= 8.8.5
Delivery
Craft malicious XSS payload
Exploit
Lure admin to view content (UI:R)
Execution
Script executes in site origin
Persist
Steal session or create rogue admin
Impact
Full site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires that a site run Admin and Site Enhancements (ASE) Pro version 8.8.5 or earlier, and - per the CVSS UI:R metric - that a victim take an action such as opening an attacker-supplied link or viewing attacker-injected content; no authentication is needed by the attacker (PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to a genuinely high-priority issue but with an important caveat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or submits content containing a malicious JavaScript payload that ASE Pro fails to sanitize, then lures a logged-in WordPress administrator to open it (e.g., via a phishing email or malicious comment/link). When the admin's browser renders the page, the script executes in the site's origin and can steal session cookies, create a rogue admin account, or plant a backdoor, effectively handing over the site. …
Remediation Upgrade ASE Pro to a version later than 8.8.5 once the vendor publishes a fixed release; the input data specifies the vulnerable ceiling (<= 8.8.5) but does not include an exact patched version number, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/admin-site-enhancements-pro/vulnerability/wordpress-admin-and-site-enhancements-ase-pro-plugin-8-8-5-cross-site-scripting-xss-vulnerability) and the plugin vendor for the corrected build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all WordPress instances for ASE Pro installations and document affected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57625 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy