Admin and Site Enhancements (ASE) <= 8.4.0 - Missing Authorization
Description
The Admin and Site Enhancements (ASE) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.4.0. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=8.4.0What Changed in the Fix
Changes introduced in v8.4.1
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-32423 ## 1. Vulnerability Summary The **Admin and Site Enhancements (ASE)** plugin for WordPress (versions <= 8.4.0) contains a missing authorization vulnerability in its **Content Duplication** module (and potentially other modules like Content Order). The `…
Show full research plan
Exploitation Research Plan - CVE-2026-32423
1. Vulnerability Summary
The Admin and Site Enhancements (ASE) plugin for WordPress (versions <= 8.4.0) contains a missing authorization vulnerability in its Content Duplication module (and potentially other modules like Content Order). The ASENHA\Classes\Content_Duplication::duplicate_content() function performs a capability check using current_user_can( 'edit_posts' ).
In WordPress, the edit_posts capability is granted to Contributor roles and above. However, this function is used to duplicate any post type, including page, which typically requires the edit_pages or edit_others_pages capability. Furthermore, the function does not verify if the current user has permission to read or edit the specific post being duplicated. This allows a Contributor-level attacker to duplicate pages or posts authored by others (including Administrators) that they should not have permission to manipulate.
2. Attack Vector Analysis
- Vulnerable Function:
ASENHA\Classes\Content_Duplication::duplicate_content() - Trigger: An
admin_inithook (or similar listener) that responds to a request containing specific query parameters. - Endpoint:
/wp-admin/edit.phpor/wp-admin/admin.php - Required Parameters:
post: The ID of the post or page to duplicate.nonce: A WordPress nonce for the actionasenha-duplicate-[ID].asenha_duplicate: (Inferred trigger parameter) A flag to trigger the duplication logic.
- Authentication: Authenticated, Contributor role or higher.
- Precondition: The "Content Duplication" module must be enabled in the ASE settings.
3. Code Flow
- Registration: The plugin initializes its modules in
bootstrap.php. TheContent_Duplicationclass is instantiated. - Hook: The
duplicate_content()method is likely hooked toadmin_init. - Execution:
duplicate_content()is called.- It retrieves the post ID:
$original_post_id = intval( sanitize_text_field( $_REQUEST['post'] ) );(line 125). - It retrieves the nonce:
$nonce = sanitize_text_field( $_REQUEST['nonce'] );(line 126). - Authorization Check:
if ( wp_verify_nonce( $nonce, 'asenha-duplicate-' . $original_post_id ) && $allow_duplication )(line 127). - Flaw:
$allow_duplicationis set totrueifcurrent_user_can( 'edit_posts' )(line 123-124).
- Sink:
wp_insert_post($args)is called (line 151) to create a new draft of the target post, effectively allowing the Contributor to "own" a copy of restricted content.
4. Nonce Acquisition Strategy
The nonce is generated using wp_create_nonce( 'asenha-duplicate-' . $post->ID ). These nonces are injected into the "Row Actions" (the links that appear when hovering over a post title) in the WordPress admin list tables for any post type where duplication is enabled.
Procedure for Contributor:
- Navigate: Go to the Pages list (
/wp-admin/edit.php?post_type=page). By default, Contributors can view the titles of all pages in the admin area. - Inspect: ASE adds a "Duplicate"
Summary
The Admin and Site Enhancements (ASE) plugin is vulnerable to unauthorized access because the Content Duplication module uses a generic capability check ('edit_posts') instead of item-specific permissions. This allows authenticated users with Contributor-level access to duplicate and subsequently view restricted content, such as password-protected posts or private pages authored by administrators.
Vulnerable Code
// classes/class-content-duplication.php lines 122-132 public function duplicate_content() { $allow_duplication = false; if ( current_user_can( 'edit_posts' ) ) { $allow_duplication = true; } $original_post_id = intval( sanitize_text_field( $_REQUEST['post'] ) ); $nonce = sanitize_text_field( $_REQUEST['nonce'] ); if ( wp_verify_nonce( $nonce, 'asenha-duplicate-' . $original_post_id ) && $allow_duplication ) { $original_post = get_post( $original_post_id ); --- // classes/class-content-duplication.php lines 291-297 public function is_user_allowed_to_duplicate_content() { $allow_duplication = false; if ( current_user_can( 'edit_posts' ) ) { $allow_duplication = true; } return $allow_duplication; }
Security Fix
@@ -120,11 +120,11 @@ * @since 1.0.0 */ public function duplicate_content() { + $original_post_id = intval( sanitize_text_field( $_REQUEST['post'] ) ); $allow_duplication = false; - if ( current_user_can( 'edit_posts' ) ) { + if ( current_user_can( 'edit_post', $original_post_id ) ) { $allow_duplication = true; } - $original_post_id = intval( sanitize_text_field( $_REQUEST['post'] ) ); $nonce = sanitize_text_field( $_REQUEST['nonce'] ); if ( wp_verify_nonce( $nonce, 'asenha-duplicate-' . $original_post_id ) && $allow_duplication ) { $original_post = get_post( $original_post_id ); @@ -229,9 +229,9 @@ * @since 6.3.0 */ public function add_admin_bar_duplication_link( WP_Admin_Bar $wp_admin_bar ) { - $duplication_link_locations = $this->get_duplication_link_locations(); - $allow_duplication = $this->is_user_allowed_to_duplicate_content(); global $pagenow, $post; + $duplication_link_locations = $this->get_duplication_link_locations(); + $allow_duplication = $this->is_user_allowed_to_duplicate_content( $post ); if ( is_object( $post ) ) { if ( property_exists( $post, 'post_type' ) ) { $post_type = $post->post_type; @@ -288,10 +288,14 @@ * * @since 6.9.3 */ - public function is_user_allowed_to_duplicate_content() { + public function is_user_allowed_to_duplicate_content( $post = null ) { $allow_duplication = false; - if ( current_user_can( 'edit_posts' ) ) { - $allow_duplication = true; + if ( is_object( $post ) ) { + if ( property_exists( $post, 'ID' ) ) { + if ( current_user_can( 'edit_post', $post->ID ) ) { + $allow_duplication = true; + } + } } return $allow_duplication; }
Exploit Outline
The exploit requires a user authenticated with at least the Contributor role and the 'Content Duplication' module enabled. An attacker identifies the ID of a target post (such as a restricted Page or another user's password-protected content) and obtains a valid duplication nonce, which the plugin exposes in the WordPress admin list tables or the frontend admin bar to users with the 'edit_posts' capability. The attacker then sends a request to the duplication handler (likely hooked to 'admin_init') with the 'post' ID and 'nonce' parameters. Because the plugin only checks if the user has the 'edit_posts' permission rather than permission to edit that specific post ID, it creates a new draft copy of the restricted content with the attacker set as the author, granting them full access to the target content's details.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.