CVE-2025-12901Cross-Site Request Forgery in Forum

CWE-352Cross-Site Request Forgery3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 98.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Asgaros Forum
Timeline
PublishedNov 12

Description

The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5asgaros/asgaros_forum3.2.1

🔴Vulnerability Details

2
CVEList
Asgaros Forum <= 3.2.1 - Cross-Site Request Forgery to Subscription Settings Update2025-11-12
GHSA
GHSA-jww7-hq4m-9wq6: The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 32025-11-12
CVE-2025-12901 — Cross-Site Request Forgery in Forum | cvebase