Vulnerability in Asgaros Forum Plugin

#1 · November 16, 2021, 7:35 am

Team,

I found a security vulnerability in asgaros forum plugin

I notified this to the administrator@asgaros.de

Please check

@asgaros

#2 · November 17, 2021, 4:42 am

Hello @cyberintel

I am not really sure if the issue you mentioned can be considered as a security vulnerability as WordPress core actually handled it the same way when creating new posts/pages and entering JavaScript inside from the backend. Their team doesnt considered this as an issue as only administrators are able to add this to the page anyway.

If you want to support the development of Asgaros Forum, you can leave a good review or donate. Thank you very much!

#3 · November 17, 2021, 4:48 am

Hi @asgaros

No, this vulnerability exists even after disable the unfiltered html from the wordpress core. I found a similar bug in another plugin they do accept. And its not only for administrators. Wordpress have multiple roles such as editor. so, if any insider malicious editor might use this vulnerability to get the admin cookies etc.

Reference : https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42361

#4 · November 22, 2021, 6:34 am

Hi,

Any update on this @asgaros

#5 · November 23, 2021, 10:17 am

Hi,

This is valid vulnerability, I confirmed with Word press security team also.

#6 · November 25, 2021, 4:13 am

Hello @cyberintel

This will be fixed soon with the next update!

If you want to support the development of Asgaros Forum, you can leave a good review or donate. Thank you very much!

#7 · November 25, 2021, 4:23 am

HI,

Kindly let me know. Once you fixed.

#8 · November 26, 2021, 4:59 am

@cyberintel Already fixed since yesterday with the update to v1.15.14. Thanks for the report!

If you want to support the development of Asgaros Forum, you can leave a good review or donate. Thank you very much!