Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Unauthenticated network XSS needing victim interaction (UI:R) with scope change into the admin origin; high confidentiality via session theft, limited integrity, no direct availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Admin and Site Enhancements (ASE) Pro <= 8.8.5 versions.
AnalysisAI
Stored/reflected cross-site scripting in the Admin and Site Enhancements (ASE) Pro WordPress plugin (versions 8.8.5 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser once they view the affected page or follow a crafted link. Because the flaw requires no authentication and carries a scope-changing CVSS 3.1 score of 9.6, a single successful lure can lead to admin session hijacking and full site takeover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a site run Admin and Site Enhancements (ASE) Pro version 8.8.5 or earlier, and - per the CVSS UI:R metric - that a victim take an action such as opening an attacker-supplied link or viewing attacker-injected content; no authentication is needed by the attacker (PR:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point to a genuinely high-priority issue but with an important caveat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or submits content containing a malicious JavaScript payload that ASE Pro fails to sanitize, then lures a logged-in WordPress administrator to open it (e.g., via a phishing email or malicious comment/link). When the admin's browser renders the page, the script executes in the site's origin and can steal session cookies, create a rogue admin account, or plant a backdoor, effectively handing over the site. … |
| Remediation | Upgrade ASE Pro to a version later than 8.8.5 once the vendor publishes a fixed release; the input data specifies the vulnerable ceiling (<= 8.8.5) but does not include an exact patched version number, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/admin-site-enhancements-pro/vulnerability/wordpress-admin-and-site-enhancements-ase-pro-plugin-8-8-5-cross-site-scripting-xss-vulnerability) and the plugin vendor for the corrected build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit all WordPress instances for ASE Pro installations and document affected systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41279
GHSA-r269-6x8w-gh3v