Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 8498e21a401d · 2025-10-01T06:32:11.000Z
GHSA-4cxv-4ppr-px4m GHSA-6jch-8crw-wv3g GHSA-95g3-m84h-pvg8 GHSA-g79r-wqxw-xp7q GHSA-qxh8-5779-hg4r
diff --git a/advisories/unreviewed/2025/10/GHSA-4cxv-4ppr-px4m/GHSA-4cxv-4ppr-px4m.json b/advisories/unreviewed/2025/10/GHSA-4cxv-4ppr-px4m/GHSA-4cxv-4ppr-px4m.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4cxv-4ppr-px4m",
+  "modified": "2025-10-01T06:30:22Z",
+  "published": "2025-10-01T06:30:22Z",
+  "aliases": [
+    "CVE-2025-9075"
+  ],
+  "details": "The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9075"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/google-map/frontend.js#L1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/image-gallery/frontend.js#L1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/progress-pie/frontend.js#L1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/text-path/frontend.js#L1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3351996%40zoloblocks&new=3351996%40zoloblocks&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3369092%40zoloblocks&new=3369092%40zoloblocks&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5860d456-a992-4816-8c93-7311c33734e4?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-01T04:16:05Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-6jch-8crw-wv3g/GHSA-6jch-8crw-wv3g.json b/advisories/unreviewed/2025/10/GHSA-6jch-8crw-wv3g/GHSA-6jch-8crw-wv3g.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6jch-8crw-wv3g",
+  "modified": "2025-10-01T06:30:22Z",
+  "published": "2025-10-01T06:30:22Z",
+  "aliases": [
+    "CVE-2025-10744"
+  ],
+  "details": "The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view information like full paths and full paths to backup files information contained in the exposed log files.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10744"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/softdiscover-db-file-manager/tags/1.5.0/modules/filemanager/controllers/backup.php#L460"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/softdiscover-db-file-manager/tags/1.5.0/modules/filemanager/helpers/iprogress.php#L19"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3369101%40softdiscover-db-file-manager&new=3369101%40softdiscover-db-file-manager&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30147e39-af94-4620-870b-71a0a46b7509?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-01T04:16:01Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-95g3-m84h-pvg8/GHSA-95g3-m84h-pvg8.json b/advisories/unreviewed/2025/10/GHSA-95g3-m84h-pvg8/GHSA-95g3-m84h-pvg8.json
@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-95g3-m84h-pvg8",
+  "modified": "2025-10-01T06:30:22Z",
+  "published": "2025-10-01T06:30:22Z",
+  "aliases": [
+    "CVE-2025-9512"
+  ],
+  "details": "The Schema & Structured Data for WP & AMP WordPress plugin before 1.50 does not properly handles HTML tag attribute modifications, making it possible for unauthenticated attackers to conduct Stored XSS attacks via post comments.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9512"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/e45d9335-3665-4155-abdf-9eeea250f1ba"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-01T06:15:31Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-g79r-wqxw-xp7q/GHSA-g79r-wqxw-xp7q.json b/advisories/unreviewed/2025/10/GHSA-g79r-wqxw-xp7q/GHSA-g79r-wqxw-xp7q.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g79r-wqxw-xp7q",
+  "modified": "2025-10-01T06:30:22Z",
+  "published": "2025-10-01T06:30:22Z",
+  "aliases": [
+    "CVE-2025-10538"
+  ],
+  "details": "An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10538"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-273-07"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-288"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-01T04:15:48Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-qxh8-5779-hg4r/GHSA-qxh8-5779-hg4r.json b/advisories/unreviewed/2025/10/GHSA-qxh8-5779-hg4r/GHSA-qxh8-5779-hg4r.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qxh8-5779-hg4r",
+  "modified": "2025-10-01T06:30:22Z",
+  "published": "2025-10-01T06:30:22Z",
+  "aliases": [
+    "CVE-2025-10735"
+  ],
+  "details": "The Block For Mailchimp – Easy Mailchimp Form Integration plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.12 via the mcbSubmit_Form_Data(). This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10735"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.svn.wordpress.org/block-for-mailchimp/tags/1.1.9/mailchimp/API.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3368808%40block-for-mailchimp&new=3368808%40block-for-mailchimp&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/block-for-mailchimp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51de575f-d458-4a7d-bc57-4a11e5124377?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-01T04:15:59Z"
+  }
+}
