Asgaros Forum
Moderate fix1 remedy
cpe:2.3:a:asgaros:asgaros_forum:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.2.1
Asgaros Forum Cross-Site Request Forgery Vulnerability in Subscription Settings
Vulnerability
Patched
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Asgaros Forum plugin for WordPress, affecting all versions through 3.2.1. The issue arises from a lack of nonce validation in the set_subscription_level() function, allowing unauthenticated attackers to manipulate the subscription settings of authenticated users. Exploitation requires tricking a logged-in user into clicking a link that initiates the forged request.
Impact
Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can manipulate the subscription settings of a user without their consent.
Reproduction
To reproduce this vulnerability, an attacker must send a request to the set_subscription_level() function without a valid nonce. This can be done by tricking a logged-in user into clicking a link that performs the action, such as through a phishing attempt or by exploiting another vulnerability that allows for such manipulation.
Remediation
Users are advised to update the Asgaros Forum plugin to version 3.3.0 or later, where this vulnerability has been patched.
Added: Nov 12, 2025, 5:37 AM
Updated: Nov 12, 2025, 5:37 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.6exploitability
7.6remediation
7.7relevance
1.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.