プラットフォーム
wordpress
コンポーネント
asgaros-forum
修正版
3.2.2
CVE-2025-12901 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Asgaros Forum plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the subscription settings of authenticated users, potentially granting unauthorized access or privileges. The vulnerability impacts versions from 0.0.0 through 3.2.1, and a patch is available in version 3.3.0.
The primary impact of this CSRF vulnerability lies in the attacker's ability to modify a user's subscription level without their knowledge or consent. This could lead to unauthorized access to premium features, changes in account status, or other actions dependent on the forum's subscription model. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by a logged-in user of the Asgaros Forum plugin, would silently execute the forged request. The blast radius is limited to users of the Asgaros Forum plugin, but the potential for widespread impact exists if the plugin is widely deployed.
This vulnerability was publicly disclosed on 2025-11-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's severity is rated as MEDIUM. It is not currently listed on the CISA KEV catalog.
Websites utilizing the Asgaros Forum plugin, particularly those with subscription-based features or forums where user roles and permissions are critical, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also potentially vulnerable if one instance of the plugin is affected.
• wordpress / composer / npm:
grep -r 'set_subscription_level(' /var/www/html/wp-content/plugins/asgaros-forum/• wordpress / composer / npm:
wp plugin list --status=all | grep asgaros-forum• wordpress / composer / npm:
wp plugin update asgaros-forum --alldisclosure
エクスプロイト状況
EPSS
0.03% (8% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation is to immediately upgrade the Asgaros Forum plugin to version 3.3.0 or later, which includes the necessary nonce validation to prevent CSRF attacks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the setsubscriptionlevel() function. Carefully review any custom code interacting with the forum's subscription functionality for potential vulnerabilities. After upgrading, confirm the fix by attempting to trigger a subscription change via a crafted CSRF request and verifying that it is blocked.
バージョン3.3.0、またはそれ以降の修正されたバージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-12901 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Asgaros Forum plugin for WordPress versions 0.0.0–3.2.1, allowing attackers to modify user subscription settings.
You are affected if you are using the Asgaros Forum plugin for WordPress in versions 0.0.0 through 3.2.1. Upgrade to 3.3.0 or later to mitigate the risk.
Upgrade the Asgaros Forum plugin to version 3.3.0 or later. Consider a WAF rule as a temporary workaround if immediate upgrade is not possible.
There is no confirmed active exploitation of CVE-2025-12901 at this time, but the vulnerability is publicly known.
Refer to the official Asgaros Forum plugin website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。