Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 5b5923bcd2fa · 2025-11-24T00:31:33.000Z
GHSA-23v2-gv35-vww5 GHSA-588w-wrcx-mhcm GHSA-7vx4-j234-7f53 GHSA-c6q3-g8x3-7xgf GHSA-ggm9-w3r3-2c6h GHSA-w22x-mx57-4r69 GHSA-x3c9-p79c-qhqc
diff --git a/advisories/unreviewed/2025/11/GHSA-23v2-gv35-vww5/GHSA-23v2-gv35-vww5.json b/advisories/unreviewed/2025/11/GHSA-23v2-gv35-vww5/GHSA-23v2-gv35-vww5.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-23v2-gv35-vww5",
+  "modified": "2025-11-24T00:30:17Z",
+  "published": "2025-11-24T00:30:17Z",
+  "aliases": [
+    "CVE-2025-13572"
+  ],
+  "details": "A vulnerability was identified in projectworlds Advanced Library Management System 1.0. This affects an unknown part of the file /delete_admin.php. The manipulation of the argument admin_id leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13572"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/GYSakura/tmp/blob/main/report.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.333336"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.333336"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.698645"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-23T23:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-588w-wrcx-mhcm/GHSA-588w-wrcx-mhcm.json b/advisories/unreviewed/2025/11/GHSA-588w-wrcx-mhcm/GHSA-588w-wrcx-mhcm.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-588w-wrcx-mhcm",
+  "modified": "2025-11-24T00:30:17Z",
+  "published": "2025-11-24T00:30:17Z",
+  "aliases": [
+    "CVE-2025-13573"
+  ],
+  "details": "A security flaw has been discovered in projectworlds can pass malicious payloads up to 1.0. This vulnerability affects unknown code of the file /add_book.php. The manipulation of the argument image results in unrestricted upload. The attack can be executed remotely. The exploit has been released to the public and may be exploited.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13573"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/GYSakura/tmp75/blob/main/report.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.333337"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.333337"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.698646"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-24T00:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-7vx4-j234-7f53/GHSA-7vx4-j234-7f53.json b/advisories/unreviewed/2025/11/GHSA-7vx4-j234-7f53/GHSA-7vx4-j234-7f53.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7vx4-j234-7f53",
+  "modified": "2025-11-24T00:30:17Z",
+  "published": "2025-11-24T00:30:17Z",
+  "aliases": [
+    "CVE-2025-12800"
+  ],
+  "details": "The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.4.5 via the su_shortcode_csv_table function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. If the 'Unsafe features' option is explicitly enabled by an administrator, this issue becomes exploitable by Contributor+ attackers",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12800"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3397946"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cbb7db4-bef7-4799-9b65-ebe77976e21c?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-23T23:15:45Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-c6q3-g8x3-7xgf/GHSA-c6q3-g8x3-7xgf.json b/advisories/unreviewed/2025/11/GHSA-c6q3-g8x3-7xgf/GHSA-c6q3-g8x3-7xgf.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c6q3-g8x3-7xgf",
+  "modified": "2025-11-24T00:30:17Z",
+  "published": "2025-11-24T00:30:17Z",
+  "aliases": [
+    "CVE-2025-13571"
+  ],
+  "details": "A vulnerability was determined in code-projects Simple Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /listorder.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13571"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jjjjj-zr/jjjjjzr/issues/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://code-projects.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.333335"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.333335"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.698495"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-23T22:16:18Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-ggm9-w3r3-2c6h/GHSA-ggm9-w3r3-2c6h.json b/advisories/unreviewed/2025/11/GHSA-ggm9-w3r3-2c6h/GHSA-ggm9-w3r3-2c6h.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ggm9-w3r3-2c6h",
+  "modified": "2025-11-24T00:30:17Z",
+  "published": "2025-11-24T00:30:17Z",
+  "aliases": [
+    "CVE-2025-13570"
+  ],
+  "details": "A vulnerability was found in itsourcecode COVID Tracking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/?page=state. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13570"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/yihaofuweng/cve/issues/59"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.333334"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.333334"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.698656"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-23T22:16:17Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-w22x-mx57-4r69/GHSA-w22x-mx57-4r69.json b/advisories/unreviewed/2025/11/GHSA-w22x-mx57-4r69/GHSA-w22x-mx57-4r69.json
@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w22x-mx57-4r69",
+  "modified": "2025-11-24T00:30:17Z",
+  "published": "2025-11-24T00:30:17Z",
+  "aliases": [
+    "CVE-2025-12759"
+  ],
+  "details": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12759"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-23T23:15:45Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-x3c9-p79c-qhqc/GHSA-x3c9-p79c-qhqc.json b/advisories/unreviewed/2025/11/GHSA-x3c9-p79c-qhqc/GHSA-x3c9-p79c-qhqc.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x3c9-p79c-qhqc",
+  "modified": "2025-11-24T00:30:17Z",
+  "published": "2025-11-24T00:30:17Z",
+  "aliases": [
+    "CVE-2025-13574"
+  ],
+  "details": "A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13574"
+    },
+    {
+      "type": "WEB",
+      "url": "https://code-projects.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Yohane-Mashiro/cve/blob/main/upload%201.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.333338"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.333338"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.698717"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.698718"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-24T00:15:46Z"
+  }
+}
