Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asgaros Asgaros Forum asgaros-forum allows Stored XSS.This issue affects Asgaros Forum: from n/a through <= 3.2.1.
Published: 2025-04-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross-site scripting flaw caused by improper neutralization of input when generating web pages with the Asgaros Forum plugin. An attacker can inject malicious script payloads into forum content that are retained in the database and later served to other users, allowing execution of arbitrary client‑side code in the victim's browser. Such execution could lead to theft of session cookies, credential compromise, or phishing attempts against forum participants.

Affected Systems

The affected product is the Asgaros Forum plugin for WordPress, with all releases from the earliest version up through 3.2.1 vulnerable.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as moderate severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation as of the latest data, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is via user‑generated forum content; the attacker must supply malicious content that the plugin stores and later displays without proper sanitization. Because the flaw is stored XSS, any visitor to the affected forum pages could be impacted, but exploitation requires an attacker to be able to inject content into the forum, either directly or by compromising a user account.

Generated by OpenCVE AI on April 30, 2026 at 22:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Asgaros Forum plugin to a version newer than 3.2.1, applying the vendor’s fix.
  • Once updated, clear any cached forum content and restart the web server to ensure the new sanitization logic is in effect.
  • If an immediate upgrade is not possible, consider restricting the ability of untrusted users to post or edit forum content, or disable the plugin until a patched version is available.

Generated by OpenCVE AI on April 30, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11341 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asgaros Asgaros Forum allows Stored XSS. This issue affects Asgaros Forum: from n/a through 3.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asgaros Asgaros Forum allows Stored XSS. This issue affects Asgaros Forum: from n/a through 3.0.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asgaros Asgaros Forum asgaros-forum allows Stored XSS.This issue affects Asgaros Forum: from n/a through <= 3.2.1.
Title WordPress Asgaros Forum <= 3.0.0 - Cross Site Scripting (XSS) Vulnerability WordPress Asgaros Forum plugin <= 3.2.1 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asgaros Asgaros Forum allows Stored XSS. This issue affects Asgaros Forum: from n/a through 3.0.0.
Title WordPress Asgaros Forum <= 3.0.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Asgaros Asgaros Forum
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:33.875Z

Reserved: 2025-04-16T06:24:25.376Z

Link: CVE-2025-39514

cve-icon Vulnrichment

Updated: 2025-04-16T13:22:58.611Z

cve-icon NVD

Status : Deferred

Published: 2025-04-16T13:15:44.860

Modified: 2026-04-23T15:29:42.433

Link: CVE-2025-39514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:45:03Z

Weaknesses