Version 3.1.0 – XSS vulnerability
Quote from m.brooking@mixd.co.uk on July 31, 2025, 1:18 pmWe’re currently receiving XSS vulnerability alerts related to the current version of Asgaros Forums. Do you have an estimated timeline for when an update addressing this issue might be released? We have the plugin installed on multiple sites, so resolving this is critical for us. We’d really appreciate any updates you can provide. Thank you!
Thanks,
Matt
We’re currently receiving XSS vulnerability alerts related to the current version of Asgaros Forums. Do you have an estimated timeline for when an update addressing this issue might be released? We have the plugin installed on multiple sites, so resolving this is critical for us. We’d really appreciate any updates you can provide. Thank you!
Thanks,
Matt
Quote from Asgaros on August 9, 2025, 6:08 amHi @m-brookingmixd-co-uk
I am aware of this report since weeks/months and usually I try to fix those issues within hours. However, for this particular one I never got any details from the vulnerability-reporter so I have absolutely no clue in which module or section this vulnerability should be existent. I tried already to investigate, but without disclosure to me, this report is as useful as if someone tells you, that you have a problem in your house. It could be everything or nothing. That is the sad truth.
As soon as I get steps to reproduce this issue from somewhere, I will fix it immediately.
Edit: I made this topic a global sticky because I get similar requests continuously. Maybe it also helps to get more information.
I am aware of this report since weeks/months and usually I try to fix those issues within hours. However, for this particular one I never got any details from the vulnerability-reporter so I have absolutely no clue in which module or section this vulnerability should be existent. I tried already to investigate, but without disclosure to me, this report is as useful as if someone tells you, that you have a problem in your house. It could be everything or nothing. That is the sad truth.
As soon as I get steps to reproduce this issue from somewhere, I will fix it immediately.
Edit: I made this topic a global sticky because I get similar requests continuously. Maybe it also helps to get more information.
Quote from m.brooking@mixd.co.uk on August 11, 2025, 1:10 pmHi @asgaros
Thanks for the update. I understand this is a tricky issue to fix, and I appreciate the effort you’re putting into it.
Please let us know as soon as you’ve rolled out a fix so we can distribute it across all our websites using the plugin.
Thanks,
Matt
Hi @asgaros
Thanks for the update. I understand this is a tricky issue to fix, and I appreciate the effort you’re putting into it.
Please let us know as soon as you’ve rolled out a fix so we can distribute it across all our websites using the plugin.
Thanks,
Matt
Quote from m.brooking@mixd.co.uk on August 26, 2025, 12:04 pmHi @asgaros
In the link the user above posted states the vulnerability is “due to insufficient input sanitization and output escaping”. Are you able to check all the inputs in the plugin to ensure they are being sanitized sufficiently?
Thanks,
Matt
Hi @asgaros
In the link the user above posted states the vulnerability is “due to insufficient input sanitization and output escaping”. Are you able to check all the inputs in the plugin to ensure they are being sanitized sufficiently?
Thanks,
Matt
Quote from m.brooking@mixd.co.uk on September 15, 2025, 2:18 pmHi @asgaros
Just want to find out if we’re any closer to this issue being resolved?
Another user has submitted a pull request to the plugin over on the WordPress support forums:
https://wordpress.org/support/topic/version-3-1-0-xss-vulnerability/#post-18631788
https://github.com/Asgaros/asgaros-forum/pull/402I wondered if you have had any time to review this at all?
Thanks,
Matt
Hi @asgaros
Just want to find out if we’re any closer to this issue being resolved?
Another user has submitted a pull request to the plugin over on the WordPress support forums:
https://wordpress.org/support/topic/version-3-1-0-xss-vulnerability/#post-18631788
https://github.com/Asgaros/asgaros-forum/pull/402
I wondered if you have had any time to review this at all?
Thanks,
Matt