Vulnerabilities and security researches forasgaros-forum asgaros-forum

Jun 07, 2024

CVE, Research URL: CVE-2021-24827
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: Nov 08, 2021
Research Description: The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue
Affected versions: max 1.5.9.
Status: vulnerable

CVE, Research URL: CVE-2023-5604
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: Nov 27, 2023
Research Description: The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution.
Affected versions: max 2.7.1.
Status: vulnerable

CVE, Research URL: CVE-2021-42365
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: Nov 30, 2021
Research Description: The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.13. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Affected versions: max 1.15.14.
Status: vulnerable

CVE, Research URL: CVE-2022-41608
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: May 22, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum plugin <= 2.2.0 versions.
Affected versions: max 2.2.0.
Status: vulnerable

CVE, Research URL: CVE-2022-0411
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: Feb 28, 2022
Research Description: The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection
Affected versions: max 2.0.0.
Status: vulnerable

CVE, Research URL: CVE-2021-25045
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: Jan 24, 2022
Research Description: The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue
Affected versions: max 1.15.15.
Status: vulnerable

CVE, Research URL: CVE-2024-32440
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: Apr 15, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.8.0.
Affected versions: max 2.9.0.
Status: vulnerable

CVE, Research URL: CVE-2024-22284
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: Jan 24, 2024
Research Description: Deserialization of Untrusted Data vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.7.2.
Affected versions: max 2.8.0.
Status: vulnerable

Apr 10, 2025

CVE, Research URL: CVE-2025-32227
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: Apr 10, 2025
Research Description: Authentication Bypass by Spoofing vulnerability in Asgaros Asgaros Forum allows Identity Spoofing. This issue affects Asgaros Forum: from n/a through 3.0.0.
Affected versions: max 3.1.0.
Status: vulnerable

Apr 18, 2025

CVE, Research URL: CVE-2025-39514
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: Apr 16, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asgaros Asgaros Forum allows Stored XSS. This issue affects Asgaros Forum: from n/a through 3.0.0.
Affected versions: max 3.1.0.
Status: vulnerable

Dec 10, 2025

CVE, Research URL: CVE-2025-12901
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: Nov 12, 2025
Research Description: The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
Affected versions: max 3.3.0.
Status: vulnerable

CVE, Research URL: CVE-2025-11452
Home page URL: Security reports for Asgaros Forum
Application: Asgaros Forum
Date: Nov 08, 2025
Research Description: The Asgaros Forum plugin for WordPress is vulnerable to SQL Injection via the '$_COOKIE['asgarosforum_unread_exclude']' cookie in all versions up to, and including, 3.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 3.2.0.
Status: vulnerable