CVE-2024-10790

Published November 12th, 2024

View on NVD ↗

CVSS v3

5.4

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

The Admin and Site Enhancements (ASE) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This feature must be enabled, and for specific roles in order to be exploitable.

Admin and Site Enhancements (ASE)

Admin and Site Enhancements (ASE) helps you to easily enhance various admin workflows and site aspects while replacing multiple plugins doing it. Pro version with Lifetime Deal (LTD) is available at <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">www.wpase.com</a>. Here’s a quick walkthrough of ASE Free at v7.1.5 by Jakson. <iframe loading="lazy" class="youtube-player" width="750" height="422" src="https://www.youtube.com/embed/ZEiIKfz2p2Q?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent" allowfullscreen="true" style="border:0;" sandbox="allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox"></iframe> Here’s a detailed walkthrough of ASE Free at v7.0.3 by Pascal Claro. <iframe loading="lazy" class="youtube-player" width="750" height="422" src="https://www.youtube.com/embed/bX-2gmpCEMU?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent" allowfullscreen="true" style="border:0;" sandbox="allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox"></iframe> <a href="https://www.wpase.com/video-reviews/" rel="nofollow ugc">See more video reviews >></a> <h3>What Users Say</h3> “ASE easily replaces a dozen or more plugins I install on every website project. Super lightweight and easy to use.” ~<a href="https://wordpress.org/support/topic/amazing-must-have-plugin-2/" rel="ugc">NetzzJD</a> “I bought the lifetime deal and was blown away by the quality, and the free version replaces SO many other plugins too. LOVE THIS!” ~<a href="https://wordpress.org/support/topic/amazing-plugin-2545/" rel="ugc">Jacob Wonder</a> “ASE is an amazing plugin! Time and money saver. Thank you!” ~<a href="https://wordpress.org/support/topic/amazing-plugin-precious/" rel="ugc">Iulian Baciu</a> <a href="https://www.wpase.com/" rel="nofollow ugc">See more reviews >></a> <h3>FEATURES & MODULES</h3> 76 modules in total: 58 free modules (32 has Pro features) | 18 Pro modules <a href="https://www.wpase.com/features/" rel="nofollow ugc">See all features >></a> <h3>Content Management</h3> <ul> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Custom Content Types. Register custom post types (CPT), custom taxonomies, custom field groups and options pages that integrates with Bricks, Breakdance, Oxygen and Elementor, and compatible with various block themes and plugins. An alternative for ACF Pro, Meta Box, Toolset, Pods, JetEngine or ACPT.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Post Type Switcher. Switch the post type of one or more posts to a different post type.</li> <li>Content Duplication. Duplicate pages, posts and public CPTs. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> enables duplication only for certain user roles and certain public and non-public post types, and adds location option for duplication links.</li> <li>Content Order. Drag-and-drop custom ordering of hierarchical post types. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> enables ordering of non-hierarchical post types, including media / attachments, reordering and changing the parent of child posts is supported, as well as applying the custom order on the frontend.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Terms Order. Drag-and-drop custom ordering of terms and child terms from various taxonomies and apply the custom order on the frontend.</li> <li>Media Files Visibility Control: Limit media files visibility so only administrators can see all media files. Non-administrator users will only see media files they uploaded themselves. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> adds an option to specify which non-administrator user roles will have such limitation. </li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Media Categories. Hierarchical categories for the media library with drag-and-drop categorization.</li> <li>Media Replacement. Replace any type of media file with a new one while ensuring no existing links will break. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> allows replacing media from the grid view of media library.</li> <li>SVG Upload. Allow some or all user roles to upload SVG files with sanitization to keep things secure.</li> <li>AVIF Upload. Enable uploading AVIF files in the Media Library.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Public Preview for Drafts. Public preview for draft and scheduled posts from some or all public post types.</li> <li>External Permalinks. Enable pages, posts and/or custom post types to have permalinks pointing to external URLs. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> allows enabling only on / except on certain post types, or on all post types.</li> <li>Open All External Links in New Tab. Force all links to external sites to open in new browser tab. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> allows excluding links with certain domains / subdomains from opening in a new tab and from getting the rel=”nofollow” attribute.</li> <li>Allow Custom Navigation Menu Items to Open in New Tab. Allow custom navigation menu items to have links that open in a new browser tab.</li> <li>Auto-Publish Posts with Missed Schedule. Trigger publishing of scheduled posts marked with “missed schedule”, anytime the site is visited.</li> </ul> <h3>Admin Interface</h3> <ul> <li>Clean Up Admin Bar. Remove various default elements from the admin bar. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> enables removal of admin bar items from other plugins.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Admin Bar Custom Elements. Add custom menu and submenu items to the admin bar.</li> <li>Hide Admin Notices. Move notices into a dedicated panel accessible via the admin bar. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> enables completely hiding notices for non-admins.</li> <li>Disable Dashboard Widgets. Completely disable some or all widgets.</li> <li>Hide Admin Bar. Frontend hiding for all or some user roles. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> allows hiding on the backend and make frontend admin bar toggleable.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Admin Logo. Show custom logo in the admin bar or the (top of) admin menu.</li> <li>Wider Admin Menu. Up to 300px wide.</li> <li>Admin Menu Editor / Organizer. Customize order for the admin menu. Change menu item title or hide some items. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> allows always hiding menu items for some or all user roles, adding custom menu and submenu items, reordering submenu items and always allowing eligible users to view and access a menu item.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Admin Columns Manager. Organize columns in the admin list tables. Supports columns for ASE, ACF and Meta Box custom fields.</li> <li>Show Custom Taxonomy Filters. Show additional filter(s) on list tables for hierarchical, custom taxonomies. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> allows showing additional filter(s) for non-hierarchical taxonomies.</li> <li>Enhance List Tables. Improve the usefulness of listing pages of various post types by adding / removing columns and elements, e.g. featured image, excerpt, last modified, ID, media file size columns.</li> <li>Various Admin UI Enhancements: <ul> <li>Media Library Infinite Scrolling: Re-enable this in the grid view.</li> <li>Display Active Plugins First: On the plugins list.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Preserve Taxonomy Hierarchy: Preserve the visual hierarchy of taxonomy terms checklist in the classic editor.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Enable Dashboard Columns Settings: Set columns layout between 1 to 4 columns.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Add User Role Slug(s) to Admin Body Classes.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Add Usermame to Admin Body Classes.</li> </ul> </li> <li>Custom Admin Footer Text: Customize the text you see on the footer of wp-admin. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> enables media insertion.</li> </ul> <h3>Log In/Out & Register</h3> <ul> <li>Change Login URL. Make the login URL more memorable and secure. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> adds compatibility with login process in WooCommerce pages, i.e. account and checkout, and custom 404 redirect on default login URLs.</li> <li>Login ID Type. Restrict login ID only to username or email address.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Login Page Customizer. Easily customize the design of the login page.</li> <li>Site Identity on Login Page. Use the site icon and URL to replace the default WordPress logo on the login page.</li> <li>Log In/Out Menu. Enable log in, log out and dynamic log in/out menu item for addition to any navigation menu. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> allows customizing the “Log In” and “Log Out” text.</li> <li>Registration Column. Show users registration date. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> makes the column sortable.</li> <li>Last Login Column. Log last login datetime and show it in the users list table. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> makes the column sortable.</li> <li>Redirect After Login / Logout. Set custom redirect URL for all or some user roles after login / logout. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> allows setting separate redirect URL for each role.</li> <li>Disable User Account. Disable login for individual users while preserving their content and display name.</li> </ul> <h3>Custom Code</h3> <ul> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Code Snippets Manager. Manage CSS / SCSS, JS, HTML and PHP code snippets to modify your site’s content, design, behaviour and functionalities.</li> <li>Custom Admin CSS.</li> <li>Custom Frontend CSS.</li> <li>Insert <head>, <body> and <footer> Code. Easily insert <meta>, <link>, <script> and <style> tags for tracking, analytics, etc.</li> <li>Custom Body Class.</li> <li>Manage ads.txt and app-ads.txt.</li> <li>Manage robots.txt.</li> </ul> <h3>Disable Components</h3> <ul> <li>Disable Gutenberg for some or all applicable post types. Optionally disable frontend block assets. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> allows disabling only on / except on certain post types, or on all post types.</li> <li>Disable Comments. Disable comments for some or all public post types. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> allows disabling only on / except on certain post types, or on all post types.</li> <li>Disable REST API. Disable REST API access for non-authenticated users and remove URL traces from <head>, HTTP headers and WP RSD endpoint. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> allows enabling access only for some, authenticated user roles, and adds a way to exclude certain API routes.</li> <li>Disable Feeds. Disable all RSS, Atom and RDF feeds.</li> <li>Disable Embeds. Prevent your site content from being embedded on other sites. Prevent embedding of non-whitelisted sites in your site. Disable all, related JavaScript. Removes support for the embed block.</li> <li>Disable All Updates. Completely disable core, theme and plugin updates and auto-updates. Will also disable update checks, notices and emails.</li> <li>Disable Author Archives. Return 404 (Not Found) error when trying to load author archives. Remove or disable links to author archives. Remove authors archives from the sitemap.</li> <li>Disable Smaller Components. Prevent smaller components from running or loading. Those are generator <meta> tag, version number, Windows Live Writer (WLW) manifest <link> tag, Really Simple Discovery (RSD) <link> tag, WordPress shortlink <link> tag in <head>, and also dashicons CSS and JS files, emoji support, jQuery Migrate, block-based widgets settings screen, native lazy load of images, application passwords, site admin email verification screen, user email notification after password change and plugin / theme editor.</li> </ul> <h3>Security</h3> <ul> <li>Limit Login Attempts. Prevent brute force attacks by limiting the number of failed login attempts allowed per IP address. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> adds IP whitelisting, which is also useful to unblock users. [<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] CAPTCHA Protection. Support for <a href="https://altcha.org/" rel="nofollow ugc">ALTCHA</a> self-hosted version (GDPR-compliant, open source, free), Google reCaptcha v2 and v3, and Cloudflare Turnstile for WordPress and WooCommerce default forms (login, password reset, registration and comment forms). [<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Two-Factor Authentication (2FA). Apply 2FA for some or all user roles with grace period settings and the option to apply different 2FA settings for each user role. Supported methods are authenticator app (TOTP), recovery codes and email.</li> <li>Obfuscate Author Slugs. Obfuscate publicly exposed author page URLs that shows the user slugs / usernames.</li> <li>Email Address Obfuscator. Obfuscate email address to prevent spam bots from harvesting them,. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> enables output of obfuscated mailto: link and also auto-obfuscation of email addresses in post content.</li> <li>Disable XML-RPC. Protect your site from brute force, DOS and DDOS attacks via XML-RPC. Also disables trackbacks and pingbacks.</li> </ul> <h3>Optimizations</h3> <ul> <li>Image Upload Control. Resize newly uploaded, large images to a smaller dimension and delete originally uploaded files. BMPs and non-transparent PNGs will be converted to JPGs and resized. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> enables setting custom JPG conversion quality and adds an option for conversion to WebP with custom conversion quality. You can also disable generation of some or all intermediate sizes.</li> <li>Revisions Control. Limit the number of revisions to keep for some or all post types. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> enables revisions control “only for”, “except for” or “for all” post types.</li> <li>Heartbeat Control. Modify the interval of the WordPress heartbeat API or disable it on admin pages, post creation/edit screens and/or the frontend.</li> </ul> <h3>Utilities</h3> <ul> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Site Backup and Migration. Backup files and database, restore from backups, and migrate or sync to another server.</li> <li>Email Delivery. Set custom sender name and email. Optionally use external SMTP service to ensure notification and transactional emails from your site are being delivered to inboxes. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> adds the option to specify a custom reply-to name and email, Bcc address(es), disable authentication and the option to log email delivery.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Form Builder. Enable the drag-and-drop creation of various types of forms (contact, feedback, booking, application, proposal, admission, support, survey, etc.) on the frontend to collect information from site visitors or users or members. 33 field types are available, including Net Promoter Score (NPS), Likert, Matrix of Uniform and Variable Dropdowns and CAPTCHA fields. Support custom form styles, multi-columns layout, email notification, auto responder, entries management and webhooks for sending submission data to Zapier, n8n, etc.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] File Manager. A comprehensive file manager with folder tree navigation, file and folder operations, and code editing capabilities.</li> <li>[<a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a>] Local User Avatar. Enable usage of any image from the media library as user avatars.</li> <li>Multiple User Roles. Assign multiple roles during user account creation and editing.</li> <li>Image Sizes Panel. Display a panel showing and linking to all available sizes when viewing an image in the media library. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> adds a copy button for the image URL on click.</li> <li>View Admin as Role. View admin pages and the site (logged-in) as one of the non-administrator user roles.</li> <li>Password Protection. Password-protect the entire site to hide the content from public view and search engine bots / crawlers. <a href="https://www.wpase.com/rdme-to-web" rel="nofollow ugc">ASE Pro</a> adds IP whitelisting and bypassing via URL parameter, and also applies design elements from the Logi

WordPress Plugin Directory

9.56M