CVE-2024-43333: 
WordPress vulnerability analysis and mitigation

The Admin and Site Enhancements (ASE) Pro plugin, affecting over 100,000 WordPress installations, contains a privilege escalation vulnerability (CVE-2024-43333) discovered in versions through 7.6.2.1. The vulnerability was identified on December 13, 2024, and publicly disclosed on February 3, 2025. This security issue affects both the free and pro versions of the plugin (Patchstack Article).

The vulnerability stems from broken logic in the 'View Admin as Role' feature, which allows users to recover their previous role. The issue is classified as an Incorrect Privilege Assignment (CWE-266) with a CVSS v3.1 score of 7.5 (High), using the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability occurs when a user's role is downgraded; they can potentially recover their previous, higher-privileged role if the 'View Admin as Role' feature is enabled (Patchstack Article, NVD).

The vulnerability allows authenticated users to potentially escalate their privileges by recovering their previous role configurations. For example, if a user was previously an Administrator and was downgraded to a Subscriber, they could exploit this vulnerability to regain Administrator privileges, potentially leading to full website control (Patchstack Article).

The vulnerability has been patched in version 7.6.3 of both the free and pro versions of the plugin. The fix includes adding a function hook to delete the asenhaviewadminasoriginalroles user meta when there is a profile update on the user. Users are strongly advised to update to version 7.6.3 or later (Patchstack Article).