Plataforma
wordpress
Componente
asgaros-forum
Corregido en
3.2.2
CVE-2025-12901 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Asgaros Forum plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the subscription settings of authenticated users, potentially granting unauthorized access or privileges. The vulnerability impacts versions from 0.0.0 through 3.2.1, and a patch is available in version 3.3.0.
The primary impact of this CSRF vulnerability lies in the attacker's ability to modify a user's subscription level without their knowledge or consent. This could lead to unauthorized access to premium features, changes in account status, or other actions dependent on the forum's subscription model. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by a logged-in user of the Asgaros Forum plugin, would silently execute the forged request. The blast radius is limited to users of the Asgaros Forum plugin, but the potential for widespread impact exists if the plugin is widely deployed.
This vulnerability was publicly disclosed on 2025-11-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's severity is rated as MEDIUM. It is not currently listed on the CISA KEV catalog.
Websites utilizing the Asgaros Forum plugin, particularly those with subscription-based features or forums where user roles and permissions are critical, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also potentially vulnerable if one instance of the plugin is affected.
• wordpress / composer / npm:
grep -r 'set_subscription_level(' /var/www/html/wp-content/plugins/asgaros-forum/• wordpress / composer / npm:
wp plugin list --status=all | grep asgaros-forum• wordpress / composer / npm:
wp plugin update asgaros-forum --alldisclosure
Estado del Exploit
EPSS
0.03% (8% percentil)
CISA SSVC
Vector CVSS
The recommended mitigation is to immediately upgrade the Asgaros Forum plugin to version 3.3.0 or later, which includes the necessary nonce validation to prevent CSRF attacks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the setsubscriptionlevel() function. Carefully review any custom code interacting with the forum's subscription functionality for potential vulnerabilities. After upgrading, confirm the fix by attempting to trigger a subscription change via a crafted CSRF request and verifying that it is blocked.
Actualizar a la versión 3.3.0, o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-12901 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Asgaros Forum plugin for WordPress versions 0.0.0–3.2.1, allowing attackers to modify user subscription settings.
You are affected if you are using the Asgaros Forum plugin for WordPress in versions 0.0.0 through 3.2.1. Upgrade to 3.3.0 or later to mitigate the risk.
Upgrade the Asgaros Forum plugin to version 3.3.0 or later. Consider a WAF rule as a temporary workaround if immediate upgrade is not possible.
There is no confirmed active exploitation of CVE-2025-12901 at this time, but the vulnerability is publicly known.
Refer to the official Asgaros Forum plugin website or WordPress plugin repository for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.