cleantalk
Vulnerabilities and Security Researches

Asgaros Forum, CVE-2025-12901

CVE, Research URL

CVE-2025-12901

Home page URL

Security reports for Asgaros Forum

Application

Asgaros Forum

Published on
Nov 12, 2025
Research Description
The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
Affected versions
max 3.3.0.
Status
vulnerable
Previous vulnerability researches
YITH PayPal Express Checkout for WooCommerce (CVE-2019-16251) , Jun 07, 2024
YITH PayPal Express Checkout for WooCommerce (CVE-2025-48111) , Jun 18, 2025
New vulnerability
Nelio Popups (CVE-2025-66111) , Dec 11, 2025
Vitepos – Point of sale (POS) plugin for WooCommerce (CVE-2025-13156) , Dec 11, 2025
SNORDIAN's H5PxAPIkatchu (CVE-2025-12904) , Dec 11, 2025
Share to Google Classroom (CVE-2025-12711) , Dec 11, 2025
Flickr Show (CVE-2025-12672) , Dec 11, 2025