github
diff --git a/‎advisories/unreviewed/2025/12/GHSA-28cp-rjg9-r8c3/GHSA-28cp-rjg9-r8c3.json‎
Lines changed: 48 additions & 0 deletions b/‎advisories/unreviewed/2025/12/GHSA-28cp-rjg9-r8c3/GHSA-28cp-rjg9-r8c3.json‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/12/GHSA-3455-8m4x-7x89/GHSA-3455-8m4x-7x89.json‎
Lines changed: 40 additions & 0 deletions b/‎advisories/unreviewed/2025/12/GHSA-3455-8m4x-7x89/GHSA-3455-8m4x-7x89.json‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/12/GHSA-4x4p-8hj2-h92h/GHSA-4x4p-8hj2-h92h.json‎
Lines changed: 48 additions & 0 deletions b/‎advisories/unreviewed/2025/12/GHSA-4x4p-8hj2-h92h/GHSA-4x4p-8hj2-h92h.json‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/12/GHSA-5rq6-3978-369w/GHSA-5rq6-3978-369w.json‎
Lines changed: 35 additions & 0 deletions b/‎advisories/unreviewed/2025/12/GHSA-5rq6-3978-369w/GHSA-5rq6-3978-369w.json‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/12/GHSA-647v-r7p3-c33c/GHSA-647v-r7p3-c33c.json‎
Lines changed: 56 additions & 0 deletions b/‎advisories/unreviewed/2025/12/GHSA-647v-r7p3-c33c/GHSA-647v-r7p3-c33c.json‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/12/GHSA-6jvx-rr4c-j9j5/GHSA-6jvx-rr4c-j9j5.json‎
Lines changed: 40 additions & 0 deletions b/‎advisories/unreviewed/2025/12/GHSA-6jvx-rr4c-j9j5/GHSA-6jvx-rr4c-j9j5.json‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/12/GHSA-7m2h-m3fc-4qj7/GHSA-7m2h-m3fc-4qj7.json‎
Lines changed: 29 additions & 0 deletions b/‎advisories/unreviewed/2025/12/GHSA-7m2h-m3fc-4qj7/GHSA-7m2h-m3fc-4qj7.json‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/12/GHSA-c565-3j89-9cp4/GHSA-c565-3j89-9cp4.json‎
Lines changed: 29 additions & 0 deletions b/‎advisories/unreviewed/2025/12/GHSA-c565-3j89-9cp4/GHSA-c565-3j89-9cp4.json‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/12/GHSA-cxq4-78fr-7wpg/GHSA-cxq4-78fr-7wpg.json‎
Lines changed: 48 additions & 0 deletions b/‎advisories/unreviewed/2025/12/GHSA-cxq4-78fr-7wpg/GHSA-cxq4-78fr-7wpg.json‎
Lines changed: 48 additions & 0 deletions
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-28cp-rjg9-r8c3",
+  "modified": "2025-12-12T12:30:25Z",
+  "published": "2025-12-12T12:30:25Z",
+  "aliases": [
+    "CVE-2025-14030"
+  ],
+  "details": "The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14030"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/ai-feeds/tags/1.0.12/includes/functions.php#L58"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/ai-feeds/trunk/includes/functions.php#L58"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417124%40ai-feeds&new=3417124%40ai-feeds&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d33721e2-0a90-4102-84d5-2633c0fd47ed?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-12T12:15:45Z"
+  }
+}
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3455-8m4x-7x89",
+  "modified": "2025-12-12T12:30:25Z",
+  "published": "2025-12-12T12:30:25Z",
+  "aliases": [
+    "CVE-2025-12408"
+  ],
+  "details": "The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get_location' action due to insufficient restrictions on which locations can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft event locations that they should not have access to.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12408"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3392395/events-manager/trunk/em-actions.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8470b7be-6fae-4941-b523-93e230366522?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-12T12:15:45Z"
+  }
+}
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4x4p-8hj2-h92h",
+  "modified": "2025-12-12T12:30:25Z",
+  "published": "2025-12-12T12:30:25Z",
+  "aliases": [
+    "CVE-2025-14159"
+  ],
+  "details": "The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14159"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.8.7/admin/class-secure-copy-content-protection-admin.php#L645"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.9.3/admin/class-secure-copy-content-protection-admin.php#L696"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/secure-copy-content-protection/#developers"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cffe04e-a2e5-4752-a5c1-7c95f0007e0b?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-12T12:15:46Z"
+  }
+}
@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5rq6-3978-369w",
+  "modified": "2025-12-12T12:30:25Z",
+  "published": "2025-12-12T12:30:25Z",
+  "aliases": [
+    "CVE-2025-58137"
+  ],
+  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58137"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/gz3zhoghlclch3rdnzyrdcf69c0507ww"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2025/12/11/7"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-12T10:15:49Z"
+  }
+}
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-647v-r7p3-c33c",
+  "modified": "2025-12-12T12:30:25Z",
+  "published": "2025-12-12T12:30:25Z",
+  "aliases": [
+    "CVE-2025-13993"
+  ],
+  "details": "The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_description' and 'success_message' parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13993"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Controllers/AdminController.php#L179"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Controllers/AdminController.php#L224"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Views/CustomForm.php#L38"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Views/CustomForm.php#L94"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3416100/official-mailerlite-sign-up-forms/trunk/src/Controllers/AdminController.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c37cc28-fde0-45c6-b49c-d6dfb296c4a5?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-12T10:15:48Z"
+  }
+}
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6jvx-rr4c-j9j5",
+  "modified": "2025-12-12T12:30:25Z",
+  "published": "2025-12-12T12:30:25Z",
+  "aliases": [
+    "CVE-2025-23408"
+  ],
+  "details": "Weak Password Requirements vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.10.1. The issue is fixed in version 1.11.0.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23408"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/bdlb6wl968yh1n48mr5npsk2spo6dncf"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2025/12/11/5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-521"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-12T10:15:48Z"
+  }
+}
@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7m2h-m3fc-4qj7",
+  "modified": "2025-12-12T12:30:25Z",
+  "published": "2025-12-12T12:30:25Z",
+  "aliases": [
+    "CVE-2025-12835"
+  ],
+  "details": "The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12835"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/1650ddac-04c7-47fa-b03e-bd0338243fcc"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-12T11:15:50Z"
+  }
+}
@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c565-3j89-9cp4",
+  "modified": "2025-12-12T12:30:25Z",
+  "published": "2025-12-12T12:30:25Z",
+  "aliases": [
+    "CVE-2025-12841"
+  ],
+  "details": "The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12841"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/60cb3d5f-1aa5-4858-ab84-07fe7c023fdd"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-12T11:15:51Z"
+  }
+}
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cxq4-78fr-7wpg",
+  "modified": "2025-12-12T12:30:25Z",
+  "published": "2025-12-12T12:30:25Z",
+  "aliases": [
+    "CVE-2025-12348"
+  ],
+  "details": "The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12348"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L50"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-ig-es-background-process-helper.php#L194"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3394838/email-subscribers/trunk/lite/includes/classes/class-ig-es-background-process-helper.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ba7244-0ecf-412f-9b8b-6b81fa6cdeb5?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-12T10:15:48Z"
+  }
+}