CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32440 – WordPress Asgaros Forum plugin <= 2.8.0 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-32440
Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.8.0. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Thomas Belser Asgaros Forum. Este problema afecta a Asgaros Forum: desde n/a hasta 2.8.0. The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.0. This is due to missing or incorrect nonce validation on the mark_all_read() function. • https://patchstack.com/database/vulnerability/asgaros-forum/wordpress-asgaros-forum-plugin-2-8-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22284 – WordPress Asgaros Forum Plugin <= 2.7.2 is vulnerable to PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-22284
Deserialization of Untrusted Data vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.7.2. Vulnerabilidad de deserialización de datos no confiables en Thomas Belser Asgaros Forum. Este problema afecta a Asgaros Forum: desde n/a hasta 2.7.2. The Asgaros Forum plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.7.2 via deserialization of untrusted input in the prepare_unread_status function. This makes it possible for unauthenticated attackers to inject a PHP Object. • https://patchstack.com/database/vulnerability/asgaros-forum/wordpress-asgaros-forum-plugin-2-7-2-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5604 – Asgaros Forum < 2.7.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-5604
The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution. El complemento Asgaros Forum de WordPress anterior a 2.7.1 permite a los administradores del foro, que pueden no ser (super)administradores de WordPress, establecer una configuración insegura que permite a usuarios no autenticados cargar archivos peligrosos (por ejemplo, .php, .phtml), lo que podría generar una ejecución remota de código. The Asgaros Forum plugin for WordPress is vulnerable to unauthorized control of the plugin's settings due to an insufficient capability check on the forum options update in all versions up to 2.7.1 (exclusive). This makes it possible for authenticated attackers, with administrator-level access and above, to modify the plugin's settings so that they can upload malicious PHP files that can be used for remote code execution. • https://wpscan.com/vulnerability/4ce69d71-87bf-4d95-90f2-63d558c78b69 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41608 – WordPress Asgaros Forum Plugin <= 2.2.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-41608
Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum plugin <= 2.2.0 versions. The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.0. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site administrator into performing an action such as clicking on a link. The impact of this vulnerability is unknown. • https://patchstack.com/database/vulnerability/asgaros-forum/wordpress-asgaros-forum-plugin-2-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0411 – Asgaros Forum < 2.0.0 - Subscriber+ Blind SQL Injection
https://notcve.org/view.php?id=CVE-2022-0411
The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection El plugin Asgaros Forum de WordPress versiones anteriores a 2.0.0, no sanea y escapa el parámetro post_id antes de usarlo en una sentencia SQL por medio de una ruta REST del plugin (accesible a cualquier usuario autenticado), conllevando a una inyección SQL • https://plugins.trac.wordpress.org/changeset/2669226/asgaros-forum https://wpscan.com/vulnerability/35272197-c973-48ad-8405-538bfbafa172 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •