Asgaros Forum vulnerabilities

12 known vulnerabilities affecting asgaros/asgaros_forum.

Total CVEs
12
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH5MEDIUM2UNKNOWN2

Vulnerabilities

Page 1 of 1
CVE-2025-12901MEDIUMCVSS 4.3≤ 3.2.12025-11-12
CVE-2025-12901 [MEDIUM] CWE-352 CVE-2025-12901: The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions u The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted
cvelistv5nvd
CVE-2025-11452HIGHCVSS 7.5≤ 3.1.02025-11-08
CVE-2025-11452 [HIGH] CWE-89 CVE-2025-11452: The Asgaros Forum plugin for WordPress is vulnerable to SQL Injection via the '$_COOKIE['asgarosforu The Asgaros Forum plugin for WordPress is vulnerable to SQL Injection via the '$_COOKIE['asgarosforum_unread_exclude']' cookie in all versions up to, and including, 3.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to appen
cvelistv5nvd
CVE-2025-39514UNKNOWN≤ 3.2.12025-04-16
CVE-2025-39514 CWE-79 CVE-2025-39514: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asgaros Asgaros Forum asgaros-forum allows Stored XSS.This issue affects Asgaros Forum: from n/a through <= 3.2.1.
cvelistv5nvd
CVE-2025-32227UNKNOWN≤ 3.0.02025-04-10
CVE-2025-32227 CWE-290 CVE-2025-32227: Authentication Bypass by Spoofing vulnerability in Asgaros Asgaros Forum asgaros-forum allows Identi Authentication Bypass by Spoofing vulnerability in Asgaros Asgaros Forum asgaros-forum allows Identity Spoofing.This issue affects Asgaros Forum: from n/a through <= 3.0.0.
cvelistv5nvd
CVE-2024-32440HIGHCVSS 8.8fixed in 2.9.02024-04-15
CVE-2024-32440 [HIGH] CWE-352 CVE-2024-32440: Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum.This issue affects As Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.8.0.
nvd
CVE-2024-22284CRITICALCVSS 9.8fixed in 2.8.02024-01-24
CVE-2024-22284 [CRITICAL] CWE-502 CVE-2024-22284: Deserialization of Untrusted Data vulnerability in Thomas Belser Asgaros Forum.This issue affects As Deserialization of Untrusted Data vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.7.2.
nvd
CVE-2023-5604CRITICALCVSS 9.8fixed in 2.7.12023-11-27
CVE-2023-5604 [CRITICAL] CWE-94 CVE-2023-5604: The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPres The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution.
nvd
CVE-2022-41608HIGHCVSS 8.8fixed in 2.3.02023-05-22
CVE-2022-41608 [HIGH] CWE-352 CVE-2022-41608: Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum plugin <= 2.2.0 versi Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum plugin <= 2.2.0 versions.
nvd
CVE-2022-0411HIGHCVSS 8.8fixed in 2.0.02022-02-28
CVE-2022-0411 [HIGH] CWE-89 CVE-2022-0411: The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter b The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection
nvd
CVE-2021-25045HIGHCVSS 7.2fixed in 1.15.152022-01-24
CVE-2021-25045 [HIGH] CWE-89 CVE-2021-25045: The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue
nvd
CVE-2021-42365MEDIUMCVSS 4.8fixed in 1.15.142021-11-29
CVE-2021-42365 [MEDIUM] CWE-79 CVE-2021-42365: The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.13. This affects multi-site instal
nvd
CVE-2021-24827CRITICALCVSS 9.8PoCfixed in 1.15.132021-11-08
CVE-2021-24827 [CRITICAL] CWE-89 CVE-2021-24827: The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subsc The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue
nvd