Publish Advisories

GHSA-gj84-8vfx-q3vm
GHSA-gx7v-vcr7-wxqp
GHSA-jww7-hq4m-9wq6
GHSA-pmjc-x5xh-p27v
GHSA-x3hh-fgq4-6rqr
GHSA-xh54-v5gh-jq8v

Author: advisory-database[bot]

advisories/unreviewed/2025/10/GHSA-gj84-8vfx-q3vm/GHSA-gj84-8vfx-q3vm.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gj84-8vfx-q3vm",
-  "modified": "2025-11-11T21:30:27Z",
+  "modified": "2025-11-12T06:30:24Z",
   "published": "2025-10-09T15:31:03Z",
   "aliases": [
     "CVE-2025-11561"
@@ -21,63 +21,67 @@
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:19610"
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402727"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:19847"
+      "url": "https://blog.async.sg/kerberos-ldr"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:19848"
+      "url": "https://access.redhat.com/security/cve/CVE-2025-11561"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:19849"
+      "url": "https://access.redhat.com/errata/RHSA-2025:21067"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:19850"
+      "url": "https://access.redhat.com/errata/RHSA-2025:21020"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:19851"
+      "url": "https://access.redhat.com/errata/RHSA-2025:20954"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:19852"
+      "url": "https://access.redhat.com/errata/RHSA-2025:19859"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19854"
     },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:19853"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:19854"
+      "url": "https://access.redhat.com/errata/RHSA-2025:19852"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:19859"
+      "url": "https://access.redhat.com/errata/RHSA-2025:19851"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:20954"
+      "url": "https://access.redhat.com/errata/RHSA-2025:19850"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:21020"
+      "url": "https://access.redhat.com/errata/RHSA-2025:19849"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/security/cve/CVE-2025-11561"
+      "url": "https://access.redhat.com/errata/RHSA-2025:19848"
     },
     {
       "type": "WEB",
-      "url": "https://blog.async.sg/kerberos-ldr"
+      "url": "https://access.redhat.com/errata/RHSA-2025:19847"
     },
     {
       "type": "WEB",
-      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402727"
+      "url": "https://access.redhat.com/errata/RHSA-2025:19610"
     }
   ],
   "database_specific": {

advisories/unreviewed/2025/11/GHSA-gx7v-vcr7-wxqp/GHSA-gx7v-vcr7-wxqp.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gx7v-vcr7-wxqp",
+  "modified": "2025-11-12T06:30:24Z",
+  "published": "2025-11-12T06:30:24Z",
+  "aliases": [
+    "CVE-2025-12087"
+  ],
+  "details": "The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12087"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/log/aco-wishlist-for-woocommerce"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17e8a743-7985-4b28-b854-ac052a834f3a?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-12T05:15:39Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-jww7-hq4m-9wq6/GHSA-jww7-hq4m-9wq6.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jww7-hq4m-9wq6",
+  "modified": "2025-11-12T06:30:24Z",
+  "published": "2025-11-12T06:30:24Z",
+  "aliases": [
+    "CVE-2025-12901"
+  ],
+  "details": "The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12901"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Asgaros/asgaros-forum/commit/92305fb8ba4ec0a6c65256915d0a32e5553b74f3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/asgaros-forum/tags/3.2.1/includes/forum-notifications.php#L605"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/asgaros-forum/tags/3.2.1/includes/forum-notifications.php#L606"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3392004%40asgaros-forum&new=3392004%40asgaros-forum&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/75625e6e-f75b-4e11-acd8-7388efb12b29?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-12T05:15:43Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-pmjc-x5xh-p27v/GHSA-pmjc-x5xh-p27v.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pmjc-x5xh-p27v",
+  "modified": "2025-11-12T06:30:24Z",
+  "published": "2025-11-12T06:30:24Z",
+  "aliases": [
+    "CVE-2025-12833"
+  ],
+  "details": "The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12833"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393024%40geodirectory&new=3393024%40geodirectory&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/geodirectory"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-12T05:15:41Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-x3hh-fgq4-6rqr/GHSA-x3hh-fgq4-6rqr.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x3hh-fgq4-6rqr",
+  "modified": "2025-11-12T06:30:24Z",
+  "published": "2025-11-12T06:30:24Z",
+  "aliases": [
+    "CVE-2025-54983"
+  ],
+  "details": "A health check port on Zscaler Client Connector on Windows, versions 4.6 <  4.6.0.216 and 4.7 < 4.7.0.47, which under specific circumstances was not released after use, allowed traffic to potentially bypass ZCC forwarding controls.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54983"
+    },
+    {
+      "type": "WEB",
+      "url": "https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2025"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-772"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-12T04:15:41Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-xh54-v5gh-jq8v/GHSA-xh54-v5gh-jq8v.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xh54-v5gh-jq8v",
+  "modified": "2025-11-12T06:30:24Z",
+  "published": "2025-11-12T06:30:24Z",
+  "aliases": [
+    "CVE-2025-11560"
+  ],
+  "details": "The Team Members Showcase WordPress plugin before 3.5.0 does not sanitize and escape a parameter before outputting it back in the page, leading to reflected cross-site scripting, which could be used against high-privilege users such as admins.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11560"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/64d7a074-3f1d-4b09-8e96-d76b9fb3c41e"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-12T06:15:33Z"
+  }
+}