CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32440 – WordPress Asgaros Forum plugin <= 2.8.0 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-32440
12 Apr 2024 — Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.8.0. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Thomas Belser Asgaros Forum. Este problema afecta a Asgaros Forum: desde n/a hasta 2.8.0. The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.0. This is due to missing or incorrect nonce validation on the mark_all_read() function. • https://patchstack.com/database/vulnerability/asgaros-forum/wordpress-asgaros-forum-plugin-2-8-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22284 – WordPress Asgaros Forum Plugin <= 2.7.2 is vulnerable to PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-22284
16 Jan 2024 — Deserialization of Untrusted Data vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.7.2. Vulnerabilidad de deserialización de datos no confiables en Thomas Belser Asgaros Forum. Este problema afecta a Asgaros Forum: desde n/a hasta 2.7.2. The Asgaros Forum plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.7.2 via deserialization of untrusted input in the prepare_unread_status function. This makes it possible for... • https://patchstack.com/database/vulnerability/asgaros-forum/wordpress-asgaros-forum-plugin-2-7-2-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5604 – Asgaros Forum < 2.7.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-5604
27 Nov 2023 — The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution. El complemento Asgaros Forum de WordPress anterior a 2.7.1 permite a los administradores del foro, que pueden no ser (super)administradores de WordPress, establecer una configuración insegura que permite a usuarios no autenticado... • https://wpscan.com/vulnerability/4ce69d71-87bf-4d95-90f2-63d558c78b69 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41608 – WordPress Asgaros Forum Plugin <= 2.2.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-41608
09 Nov 2022 — Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum plugin <= 2.2.0 versions. The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.0. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site administrator into performing an action such as clicking on a link. The impact of this vulnera... • https://patchstack.com/database/vulnerability/asgaros-forum/wordpress-asgaros-forum-plugin-2-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0411 – Asgaros Forum < 2.0.0 - Subscriber+ Blind SQL Injection
https://notcve.org/view.php?id=CVE-2022-0411
31 Jan 2022 — The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection El plugin Asgaros Forum de WordPress versiones anteriores a 2.0.0, no sanea y escapa el parámetro post_id antes de usarlo en una sentencia SQL por medio de una ruta REST del plugin (accesible a cualquier usuario autenticado), conllevando a una inyección SQL • https://plugins.trac.wordpress.org/changeset/2669226/asgaros-forum • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25045 – Asgaros Forum < 1.15.15 - Admin+ SQL Injection via forum_id
https://notcve.org/view.php?id=CVE-2021-25045
21 Dec 2021 — The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue El plugin Asgaros Forum de WordPress versiones anteriores a 1.15.15, no comprueba ni escapa del parámetro forum_id antes de usarlo en una sentencia SQL cuando es editado un foro, conllevando a un problema de inyección SQL • https://plugins.trac.wordpress.org/changeset/2642215 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-42365 – Asgaros Forums <= 1.15.13 Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-42365
29 Nov 2021 — The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.13. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. El plugin Asgaros Forums de WordPress es vulnerable a... • https://plugins.trac.wordpress.org/changeset/2635143/asgaros-forum/trunk/admin/tables/admin-structure-table.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 50%CPEs: 1EXPL: 1CVE-2021-24827 – Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24827
11 Oct 2021 — The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue El plugin Asgaros Forum de WordPress versiones anteriores a 1.15.13, no comprueba ni escapa de la entrada del usuario cuando se suscribe a un tema antes de usarlo en una sentencia SQL, conllevando a un problema de inyección SQL no autenticado • https://plugins.trac.wordpress.org/changeset/2611560/asgaros-forum • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •