Description
The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution.
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/4ce69d71-87bf-4d95-90f2-63d558c78b69
Scores
CVSS v3
9.8
EPSS
0.0699
EPSS Percentile
91.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
CWE-94
Status
published
Products (1)
asgaros/asgaros_forum
< 2.7.1
Published
Nov 27, 2023
Tracked Since
Feb 18, 2026