Platform
wordpress
Component
asgaros-forum
Fixed in
3.2.2
CVE-2025-12901 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Asgaros Forum plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the subscription settings of authenticated users, potentially granting unauthorized access or privileges. The vulnerability impacts versions from 0.0.0 through 3.2.1, and a patch is available in version 3.3.0.
The primary impact of this CSRF vulnerability lies in the attacker's ability to modify a user's subscription level without their knowledge or consent. This could lead to unauthorized access to premium features, changes in account status, or other actions dependent on the forum's subscription model. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by a logged-in user of the Asgaros Forum plugin, would silently execute the forged request. The blast radius is limited to users of the Asgaros Forum plugin, but the potential for widespread impact exists if the plugin is widely deployed.
This vulnerability was publicly disclosed on 2025-11-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's severity is rated as MEDIUM. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the Asgaros Forum plugin to version 3.3.0 or later, which includes the necessary nonce validation to prevent CSRF attacks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the setsubscriptionlevel() function. Carefully review any custom code interacting with the forum's subscription functionality for potential vulnerabilities. After upgrading, confirm the fix by attempting to trigger a subscription change via a crafted CSRF request and verifying that it is blocked.
Update to version 3.3.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12901 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Asgaros Forum plugin for WordPress versions 0.0.0–3.2.1, allowing attackers to modify user subscription settings.
You are affected if you are using the Asgaros Forum plugin for WordPress in versions 0.0.0 through 3.2.1. Upgrade to 3.3.0 or later to mitigate the risk.
Upgrade the Asgaros Forum plugin to version 3.3.0 or later. Consider a WAF rule as a temporary workaround if immediate upgrade is not possible.
There is no confirmed active exploitation of CVE-2025-12901 at this time, but the vulnerability is publicly known.
Refer to the official Asgaros Forum plugin website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.