Publish Advisories

GHSA-846p-mjq5-w3jq
GHSA-8wvq-7r24-j62p
GHSA-9266-cq8v-fw7x
GHSA-hgcx-x66q-2c6r
GHSA-j2mv-36cj-3fvx
GHSA-qx53-vgc7-7hg8

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-846p-mjq5-w3jq/GHSA-846p-mjq5-w3jq.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-846p-mjq5-w3jq",
+  "modified": "2025-11-22T09:31:03Z",
+  "published": "2025-11-22T09:31:03Z",
+  "aliases": [
+    "CVE-2025-13317"
+  ],
+  "details": "The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied payment notifications without verifying their origin, authenticity, or requiring proper authorization checks. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and insert them into the live calendar via the 'cpabc_ipncheck' parameter, triggering administrative and customer notification emails and disrupting operations.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13317"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L14"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L363"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L476"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399113%40appointment-booking-calendar&new=3399113%40appointment-booking-calendar&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/638217c4-7a37-49e4-8660-5510ace692ec?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-22T08:15:44Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-8wvq-7r24-j62p/GHSA-8wvq-7r24-j62p.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8wvq-7r24-j62p",
+  "modified": "2025-11-22T09:31:03Z",
+  "published": "2025-11-22T09:31:03Z",
+  "aliases": [
+    "CVE-2025-13136"
+  ],
+  "details": "The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve information about the system.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13136"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399046%40gsheetconnector-ninja-forms&new=3399046%40gsheetconnector-ninja-forms&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5770cb94-8603-44d9-8cda-925175851b51?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-22T09:15:42Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-9266-cq8v-fw7x/GHSA-9266-cq8v-fw7x.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9266-cq8v-fw7x",
+  "modified": "2025-11-22T09:31:03Z",
+  "published": "2025-11-22T09:31:03Z",
+  "aliases": [
+    "CVE-2025-13384"
+  ],
+  "details": "The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query parameter) that processes payment confirmations without any authentication, nonce verification, or PayPal IPN signature validation. This makes it possible for unauthenticated attackers to mark form submissions as paid without making actual payments by sending forged payment notification requests with arbitrary POST data (payment_status, txn_id, payer_email).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13384"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L541"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L877"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L925"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399104%40cp-contact-form-with-paypal&new=3399104%40cp-contact-form-with-paypal&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6639c3d8-8f26-4ee5-8c4b-2efcf34668a2?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-22T08:15:44Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-hgcx-x66q-2c6r/GHSA-hgcx-x66q-2c6r.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hgcx-x66q-2c6r",
+  "modified": "2025-11-22T09:31:03Z",
+  "published": "2025-11-22T09:31:03Z",
+  "aliases": [
+    "CVE-2025-12752"
+  ],
+  "details": "The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create fake payment entries that have not actually occurred.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12752"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/subscriptions-memberships-for-paypal/trunk/includes/public_ipn.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397608%40subscriptions-memberships-for-paypal&new=3397608%40subscriptions-memberships-for-paypal&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f706b78-2d67-442c-b7a0-7d7a0fd24b2d?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-345"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-22T08:15:42Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-j2mv-36cj-3fvx/GHSA-j2mv-36cj-3fvx.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j2mv-36cj-3fvx",
+  "modified": "2025-11-22T09:31:03Z",
+  "published": "2025-11-22T09:31:03Z",
+  "aliases": [
+    "CVE-2025-13318"
+  ],
+  "details": "The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13318"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.59/dex_bccf.php#L1409"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L1409"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399906%40booking-calendar-contact-form&new=3399906%40booking-calendar-contact-form&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83b0ae2c-6b08-4b71-a728-c60722ec20c7?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-22T09:15:42Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-qx53-vgc7-7hg8/GHSA-qx53-vgc7-7hg8.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qx53-vgc7-7hg8",
+  "modified": "2025-11-22T09:31:03Z",
+  "published": "2025-11-22T09:31:03Z",
+  "aliases": [
+    "CVE-2025-12877"
+  ],
+  "details": "The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized modification od data due to a missing capability check on the panding_blood_request_action() function in all versions up to, and including, 2.1.15. This makes it possible for unauthenticated attackers to delete arbitrary posts.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12877"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3398056/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3400306/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96bd997f-63d5-47a7-b433-486c1113b44b?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-22T08:15:44Z"
+  }
+}