Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-25qp-vg38-c324/GHSA-25qp-vg38-c324.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-25qp-vg38-c324",
+  "modified": "2025-11-04T06:31:12Z",
+  "published": "2025-11-04T06:31:12Z",
+  "aliases": [
+    "CVE-2025-12389"
+  ],
+  "details": "The Import Export For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_setting() function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's record setting.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12389"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/import-export-for-woocommerce"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a93e3f-54c6-4970-96fd-fab0e81f7034?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-04T05:16:11Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-26gg-89xw-hgwx/GHSA-26gg-89xw-hgwx.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-26gg-89xw-hgwx",
+  "modified": "2025-11-04T06:31:11Z",
+  "published": "2025-11-04T06:31:11Z",
+  "aliases": [
+    "CVE-2025-27070"
+  ],
+  "details": "Memory corruption while performing encryption and decryption commands.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27070"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2025-bulletin.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-04T04:15:37Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-546r-87jx-5rwj/GHSA-546r-87jx-5rwj.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-546r-87jx-5rwj",
+  "modified": "2025-11-04T06:31:12Z",
+  "published": "2025-11-04T06:31:12Z",
+  "aliases": [
+    "CVE-2025-12452"
+  ],
+  "details": "The Visit Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the widgets.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12452"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/visit-counter"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9e0f3a5-35fb-4c7e-892f-8a41498e1d3c?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-04T05:16:14Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-5647-2cr4-4573/GHSA-5647-2cr4-4573.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5647-2cr4-4573",
+  "modified": "2025-11-04T06:31:12Z",
+  "published": "2025-11-04T06:31:12Z",
+  "aliases": [
+    "CVE-2025-12188"
+  ],
+  "details": "The Posts Navigation Links for Sections and Headings – Free by WP Masters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the 'wpm_navigation_links_settings' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12188"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/posts-navigation-links-for-sections-and-headings-free-by-wp-masters"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05f73a26-f637-4a1a-9f8c-98be8a146f00?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-04T05:16:10Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-5m5x-66vw-r2rp/GHSA-5m5x-66vw-r2rp.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5m5x-66vw-r2rp",
+  "modified": "2025-11-04T06:31:10Z",
+  "published": "2025-11-04T06:31:10Z",
+  "aliases": [
+    "CVE-2025-11007"
+  ],
+  "details": "The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's API settings including a secret key used for authentication. This allows unauthenticated attackers to create new admin accounts on an affected site.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11007"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/ce21-suite"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e24feac-1812-45d7-b3c3-27787eed1cf1?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-04T04:15:36Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-5qc4-8254-wgvg/GHSA-5qc4-8254-wgvg.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5qc4-8254-wgvg",
+  "modified": "2025-11-04T06:31:10Z",
+  "published": "2025-11-04T06:31:10Z",
+  "aliases": [
+    "CVE-2025-12069"
+  ],
+  "details": "The WP Global Screen Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing nonce validation on the `updatewpglobalscreenoptions` action handler. This makes it possible for unauthenticated attackers to modify global screen options for all users via a forged request granted they can trick an administrator into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12069"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wp-global-screen-options/tags/0.2/wp_global_screen_options.php#L16"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dae86d7c-3bbb-4872-acd7-08ff8d437b8e?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-04T04:15:37Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-627w-fp5f-x4qx/GHSA-627w-fp5f-x4qx.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-627w-fp5f-x4qx",
+  "modified": "2025-11-04T06:31:12Z",
+  "published": "2025-11-04T06:31:12Z",
+  "aliases": [
+    "CVE-2025-11812"
+  ],
+  "details": "The Reuse Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'reuse_builder_single_post_title' shortcode in all versions up to, and including, 1.7. This is due to insufficient input sanitization and output escaping on the 'style' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11812"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/reuse-builder/tags/1.7/shortcodes/single_post_title.php#L24"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/reuse-builder"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f796ade5-db48-4334-9a76-15326f62c9a5?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-04T05:16:03Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-6c5m-fv99-g9g5/GHSA-6c5m-fv99-g9g5.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6c5m-fv99-g9g5",
+  "modified": "2025-11-04T06:31:11Z",
+  "published": "2025-11-04T06:31:11Z",
+  "aliases": [
+    "CVE-2025-47357"
+  ],
+  "details": "Information Disclosure when a user-level driver performs QFPROM read or write operations on Fuse regions.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47357"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2025-bulletin.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-04T04:15:38Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-6h2j-h2vw-282c/GHSA-6h2j-h2vw-282c.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6h2j-h2vw-282c",
+  "modified": "2025-11-04T06:31:13Z",
+  "published": "2025-11-04T06:31:12Z",
+  "aliases": [
+    "CVE-2025-12456"
+  ],
+  "details": "The Centangle-Team plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, due to insufficient input sanitization and output escaping on cai_name_color parameter, this issue allows to inject arbitrary web scripts in pages, that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12456"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/Centangle-Team-Showcase.php#L132"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L172"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L196"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L88"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ff637c7-677f-4d70-b3cb-770d0a47e691?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-04T05:16:16Z"
+  }
+}