CVE-2025-11452: 
WordPress vulnerability analysis and mitigation

CVE-2025-11452 affects the Asgaros Forum plugin for WordPress versions up to and including 3.1.0. The vulnerability is an unauthenticated SQL Injection that exists via the '$_COOKIE['asgarosforum_unread_exclude']' cookie parameter due to insufficient escaping and preparation of SQL queries (NVD CVE, Wordfence Intel). The vulnerability was discovered and disclosed on November 7, 2025.

The vulnerability stems from insufficient escaping of user-supplied parameters in the '$_COOKIE['asgarosforum_unread_exclude']' cookie and inadequate preparation of SQL queries. This allows unauthenticated attackers to append additional SQL queries to existing ones. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD CVE).

The SQL injection vulnerability allows unauthenticated attackers to extract sensitive information from the database by appending additional SQL queries to existing ones. The high CVSS score of 7.5 reflects the serious nature of this vulnerability, particularly due to its potential for unauthorized data access (NVD CVE).

The vulnerability has been patched in version 3.2.0 of the Asgaros Forum plugin. The fix includes additional validation to remove non-integer elements from the cookie array to prevent SQL injections. Users are strongly advised to update to version 3.2.0 or later (Github Commit).