HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-57625Published Modified CNA Patchstack

CVE-2026-57625: WordPress Admin and Site Enhancements (ASE) Pro plugin <= 8.8.5 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting (XSS) in Admin and Site Enhancements (ASE) Pro <= 8.8.5 versions.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a stored or reflected cross-site scripting (XSS) vulnerability in the Admin and Site Enhancements (ASE) Pro WordPress plugin, affecting all versions up to and including 8.8.5. The flaw is reachable over the network without any authentication, but requires a victim to interact with attacker-supplied content, such as visiting a crafted page or clicking a malicious link. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to full account takeover, data theft, and unauthorized changes to site content. No fix version has been published; HarborGuard is tracking the advisory and will make a patched rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images and pipeline artifacts that include the affected plugin versions, including custom-built WordPress images. Coverage extends to any image layer where the ASE Pro plugin is bundled, regardless of how the image was built.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 (Critical) and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within the customer org based on policy-defined ownership rules for WordPress workloads.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack and NVD advisory feeds on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service must be reachable over the network; an attacker sends a crafted HTTP request to the exposed WordPress installation without needing a foothold on the host.

  • AuthenticationNot required

    No account or credentials are needed; the vulnerability is exploitable by any unauthenticated external party who can reach the service.

  • Victim interactionRequired

    A victim (typically a logged-in administrator or privileged user) must interact with attacker-supplied content, such as visiting a crafted URL or page that triggers the malicious script.

  • Attack complexityDetail

    Exploit complexity is low; no race conditions, special memory layout, or environmental prerequisites are required, making the attack reliable and repeatable.

Blast Radius

  • Attacker-controlled JavaScript executes in the victim's browser session, allowing theft of session cookies and authentication tokens for the affected WordPress site.
  • Captured admin credentials or session tokens enable full takeover of the WordPress site, including creation of backdoor accounts and installation of malicious plugins.
  • The attacker can modify page content, inject persistent malicious scripts into site pages, and redirect site visitors to external attacker-controlled destinations.
  • Confidential data visible to the victim in the browser, including user records, configuration values, and unpublished content, is exposed to the attacker.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet, HarborGuard monitors the Patchstack and NVD advisory feeds on every ingest cycle for a patch release. In the meantime, customers can apply compensating controls through HarborGuard policy rules, including flagging all images containing ASE Pro <= 8.8.5 as non-deployable, enforcing network-policy isolation on WordPress workloads to restrict public exposure, and enabling egress filtering to limit post-exploitation callback opportunities. Where compliance policy permits, the moment Patchstack or the plugin author publishes a patched version, HarborGuard will make a rebuilt image available at that version; customers with auto-remediation enabled will receive an automated rebuild, regression test run, and a PR opened against affected workloads, with a median time from fix publication to merged patch PR of around 90 minutes for Critical-severity issues in auto-remediation environments.

See how HarborGuard automates this
Affected packages
  • ASE / Admin and Site Enhancements (ASE) Pro
    ≤ 8.8.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References