CVE-2025-12901

Source
https://cve.org/CVERecord?id=CVE-2025-12901
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12901.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-12901
Published
2025-11-12T04:29:09.846Z
Modified
2026-07-15T01:49:10.824932456Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Asgaros Forum <= 3.2.1 - Cross-Site Request Forgery to Subscription Settings Update
Details

The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the setsubscriptionlevel() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.

Database specific
{
    "cwe_ids": [
        "CWE-352"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/12xxx/CVE-2025-12901.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "3.2.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "Wordfence"
}
References

Affected packages

Git / github.com/asgaros/asgaros-forum

Affected ranges

Type
GIT
Repo
https://github.com/asgaros/asgaros-forum
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.10.0
v1.10.1
v1.11.0
v1.11.1
v1.11.2
v1.11.3
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.13.2
v1.13.3
v1.14.0
v1.14.1
v1.14.10
v1.14.11
v1.14.12
v1.14.13
v1.14.14
v1.14.15
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.14.7
v1.14.8
v1.14.9
v1.15.0
v1.15.1
v1.15.10
v1.15.11
v1.15.12
v1.15.13
v1.15.14
v1.15.15
v1.15.16
v1.15.17
v1.15.18
v1.15.19
v1.15.2
v1.15.20
v1.15.3
v1.15.4
v1.15.5
v1.15.6
v1.15.7
v1.15.8
v1.15.9
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.7.0
v1.7.1
v1.7.2
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.3.1
v2.4.0
v2.4.1
v2.5.0
v2.5.1
v2.6.0
v2.7.0
v2.7.1
v2.7.2
v2.8.0
v2.9.0
v3.*
v3.0.0
v3.1.0
v3.2.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12901.json"