Description
The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
Published: 2025-11-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling unauthorized changes to subscription settings
Action: Apply Update
AI Analysis

Impact

The vulnerability allows an attacker to forge a request that changes the subscription level of a logged‑in user without the user’s knowledge. Because nonce validation is missing in the set_subscription_level() function, an unauthenticated attacker can construct a link or form that, when visited by an authenticated user, alters that user’s subscription settings. The weakness is classified as Cross‑Site Request Forgery (CWE‑352).

Affected Systems

This issue affects the Asgaros Forum WordPress plugin on all releases up to and including version 3.2.1. Any site running the affected plugin, particularly those that rely on the includes/forum‑notifications.php set_subscription_level() function, is susceptible. Installing a newer release removes the flaw.

Risk and Exploitability

The CVSS v3.1 score of 4.3 indicates medium severity, and the EPSS score of less than 1 % suggests a low likelihood of widespread exploitation. The vulnerability is not featured in the CISA KEV catalog. Exploitation requires a social‑engineering vector – an attacker must convince a logged‑in user to click a crafted link that submits the forged request. The attack does not provide code execution or direct data theft, but it can disrupt user preferences and potentially undermine the user experience.

Generated by OpenCVE AI on April 22, 2026 at 00:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Asgaros Forum plugin to the latest release (3.2.2 or newer).
  • If an upgrade cannot be applied immediately, add a nonce check to the set_subscription_level() function in includes/forum‑notifications.php.
  • Regularly review installed WordPress plugins and apply updates promptly to prevent similar CSRF vulnerabilities.

Generated by OpenCVE AI on April 22, 2026 at 00:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 14 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Asgaros
Asgaros asgaros Forum
Wordpress
Wordpress wordpress
Vendors & Products Asgaros
Asgaros asgaros Forum
Wordpress
Wordpress wordpress

Wed, 12 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
Title Asgaros Forum <= 3.2.1 - Cross-Site Request Forgery to Subscription Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Asgaros Asgaros Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:20.293Z

Reserved: 2025-11-07T19:36:32.147Z

Link: CVE-2025-12901

cve-icon Vulnrichment

Updated: 2025-11-12T14:20:57.354Z

cve-icon NVD

Status : Deferred

Published: 2025-11-12T05:15:43.787

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses