Publish Advisories

GHSA-3w6x-j894-mcx4
GHSA-4xqm-hx6r-2gp8
GHSA-5r88-ccjv-66xq
GHSA-8wv5-4mjg-mcjg
GHSA-93v3-46mj-22fw
GHSA-h7h6-79g4-qpq3
GHSA-hjcx-w529-729v
GHSA-j4mr-6qvv-6q4w
GHSA-mrfv-m5wm-5w6w
GHSA-qw27-cxc9-7xxh
GHSA-r9h3-v9hv-vpf2
GHSA-v43f-9m3r-qj67
GHSA-vwg9-2rf4-w4xc
GHSA-x3v7-84r2-j89m
GHSA-xgr9-pmph-722v

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-3w6x-j894-mcx4/GHSA-3w6x-j894-mcx4.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3w6x-j894-mcx4",
+  "modified": "2025-12-31T06:30:18Z",
+  "published": "2025-12-31T06:30:18Z",
+  "aliases": [
+    "CVE-2025-68885"
+  ],
+  "details": "Cross-Site Request Forgery (CSRF) vulnerability in Page Carbajal Custom Post Status allows Stored XSS.This issue affects Custom Post Status: from n/a through 1.1.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68885"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vdp.patchstack.com/database/wordpress/plugin/custom-post-status/vulnerability/wordpress-custom-post-status-plugin-1-1-0-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-31T06:15:41Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-4xqm-hx6r-2gp8/GHSA-4xqm-hx6r-2gp8.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4xqm-hx6r-2gp8",
+  "modified": "2025-12-31T06:30:17Z",
+  "published": "2025-12-31T06:30:17Z",
+  "aliases": [
+    "CVE-2025-13029"
+  ],
+  "details": "The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13029"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/22344534-cd36-4817-b683-c0af55759e01"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-31T06:15:40Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-5r88-ccjv-66xq/GHSA-5r88-ccjv-66xq.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5r88-ccjv-66xq",
+  "modified": "2025-12-31T06:30:17Z",
+  "published": "2025-12-31T06:30:17Z",
+  "aliases": [
+    "CVE-2025-49342"
+  ],
+  "details": "Cross-Site Request Forgery (CSRF) vulnerability in Wolfgang Häfelinger Custom Style allows Stored XSS.This issue affects Custom Style: from n/a through 1.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49342"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vdp.patchstack.com/database/wordpress/plugin/custom-style/vulnerability/wordpress-custom-style-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-31T06:15:40Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-8wv5-4mjg-mcjg/GHSA-8wv5-4mjg-mcjg.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8wv5-4mjg-mcjg",
+  "modified": "2025-12-31T06:30:18Z",
+  "published": "2025-12-31T06:30:18Z",
+  "aliases": [
+    "CVE-2025-49353"
+  ],
+  "details": "Cross-Site Request Forgery (CSRF) vulnerability in Marcin Kijak Noindex by Path allows Stored XSS.This issue affects Noindex by Path: from n/a through 1.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49353"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vdp.patchstack.com/database/wordpress/plugin/noindex-by-path/vulnerability/wordpress-noindex-by-path-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-31T06:15:41Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-93v3-46mj-22fw/GHSA-93v3-46mj-22fw.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-93v3-46mj-22fw",
+  "modified": "2025-12-31T06:30:17Z",
+  "published": "2025-12-31T06:30:16Z",
+  "aliases": [
+    "CVE-2025-15373"
+  ],
+  "details": "A security vulnerability has been detected in EyouCMS up to 1.7.7. Impacted is the function saveRemote of the file application/function.php. Such manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor is \"[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8\".",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15373"
+    },
+    {
+      "type": "WEB",
+      "url": "https://note-hxlab.wetolink.com/share/DeUFyoSjsPPK"
+    },
+    {
+      "type": "WEB",
+      "url": "https://note-hxlab.wetolink.com/share/DeUFyoSjsPPK#-span--strong-proof-of-concept---strong---span-"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.339081"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.339081"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.718465"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-31T04:15:53Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-h7h6-79g4-qpq3/GHSA-h7h6-79g4-qpq3.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h7h6-79g4-qpq3",
+  "modified": "2025-12-31T06:30:17Z",
+  "published": "2025-12-31T06:30:17Z",
+  "aliases": [
+    "CVE-2025-49343"
+  ],
+  "details": "Cross-Site Request Forgery (CSRF) vulnerability in Socialprofilr Social Profilr allows Stored XSS.This issue affects Social Profilr: from n/a through 1.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49343"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vdp.patchstack.com/database/wordpress/plugin/social-profilr-display-social-network-profile/vulnerability/wordpress-social-profilr-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-31T06:15:40Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-hjcx-w529-729v/GHSA-hjcx-w529-729v.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hjcx-w529-729v",
+  "modified": "2025-12-31T06:30:18Z",
+  "published": "2025-12-31T06:30:18Z",
+  "aliases": [
+    "CVE-2025-49354"
+  ],
+  "details": "Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category allows Stored XSS.This issue affects Recent Posts From Each Category: from n/a through 1.4.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49354"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vdp.patchstack.com/database/wordpress/plugin/recent-posts-from-each-category/vulnerability/wordpress-recent-posts-from-each-category-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-31T06:15:41Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-j4mr-6qvv-6q4w/GHSA-j4mr-6qvv-6q4w.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j4mr-6qvv-6q4w",
+  "modified": "2025-12-31T06:30:17Z",
+  "published": "2025-12-31T06:30:17Z",
+  "aliases": [
+    "CVE-2025-14434"
+  ],
+  "details": "The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and retrieve rendered HTML content of private and unpublished ones.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14434"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/bf3c3193-fc9c-454b-ad4f-94ba1669a312"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-31T06:15:40Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-mrfv-m5wm-5w6w/GHSA-mrfv-m5wm-5w6w.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mrfv-m5wm-5w6w",
+  "modified": "2025-12-31T06:30:18Z",
+  "published": "2025-12-31T06:30:18Z",
+  "aliases": [
+    "CVE-2025-69277"
+  ],
+  "details": "libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69277"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae"
+    },
+    {
+      "type": "WEB",
+      "url": "https://00f.net/2025/12/30/libsodium-vulnerability"
+    },
+    {
+      "type": "WEB",
+      "url": "https://ianix.com/pub/ed25519-deployment.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://news.ycombinator.com/item?id=46435614"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-184"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-31T06:15:41Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-qw27-cxc9-7xxh/GHSA-qw27-cxc9-7xxh.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qw27-cxc9-7xxh",
+  "modified": "2025-12-31T06:30:17Z",
+  "published": "2025-12-31T06:30:17Z",
+  "aliases": [
+    "CVE-2025-49344"
+  ],
+  "details": "Cross-Site Request Forgery (CSRF) vulnerability in Rene Ade SensitiveTagCloud allows Stored XSS.This issue affects SensitiveTagCloud: from n/a through 1.4.1.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49344"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vdp.patchstack.com/database/wordpress/plugin/sensitive-tag-cloud/vulnerability/wordpress-sensitivetagcloud-plugin-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-31T06:15:40Z"
+  }
+}