Publish Advisories

GHSA-3p73-75xq-v9wv
GHSA-3q3p-mxc5-jrmq
GHSA-54j6-6hq9-52fg
GHSA-fcx8-38mg-gr6r
GHSA-wpvh-7c2r-23rh
GHSA-wr93-5pfw-4c2v
GHSA-3jm2-936q-55vp
GHSA-gpj7-cq2g-p88f
GHSA-vr47-m93h-5gmf

advisories/unreviewed/2024/03/GHSA-3p73-75xq-v9wv/GHSA-3p73-75xq-v9wv.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3p73-75xq-v9wv",
-  "modified": "2025-01-23T21:31:48Z",
+  "modified": "2025-01-24T09:30:44Z",
   "published": "2024-03-12T09:30:42Z",
   "aliases": [
     "CVE-2024-26001"

advisories/unreviewed/2024/03/GHSA-3q3p-mxc5-jrmq/GHSA-3q3p-mxc5-jrmq.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3q3p-mxc5-jrmq",
-  "modified": "2025-01-23T21:31:48Z",
+  "modified": "2025-01-24T09:30:44Z",
   "published": "2024-03-12T09:30:42Z",
   "aliases": [
     "CVE-2024-26000"

advisories/unreviewed/2024/03/GHSA-54j6-6hq9-52fg/GHSA-54j6-6hq9-52fg.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-54j6-6hq9-52fg",
-  "modified": "2025-01-23T21:31:48Z",
+  "modified": "2025-01-24T09:30:43Z",
   "published": "2024-03-12T09:30:42Z",
   "aliases": [
     "CVE-2024-25994"

advisories/unreviewed/2024/03/GHSA-fcx8-38mg-gr6r/GHSA-fcx8-38mg-gr6r.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fcx8-38mg-gr6r",
-  "modified": "2025-01-23T21:31:48Z",
+  "modified": "2025-01-24T09:30:44Z",
   "published": "2024-03-12T09:30:42Z",
   "aliases": [
     "CVE-2024-25998"

advisories/unreviewed/2024/05/GHSA-wpvh-7c2r-23rh/GHSA-wpvh-7c2r-23rh.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wpvh-7c2r-23rh",
-  "modified": "2025-01-23T21:31:50Z",
+  "modified": "2025-01-24T09:30:44Z",
   "published": "2024-05-14T18:30:59Z",
   "aliases": [
     "CVE-2024-28135"

advisories/unreviewed/2024/10/GHSA-wr93-5pfw-4c2v/GHSA-wr93-5pfw-4c2v.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wr93-5pfw-4c2v",
-  "modified": "2024-10-15T12:30:37Z",
+  "modified": "2025-01-24T09:30:44Z",
   "published": "2024-10-15T12:30:37Z",
   "aliases": [
     "CVE-2024-45276"
@@ -26,6 +26,10 @@
     {
       "type": "WEB",
       "url": "https://cert.vde.com/en/advisories/VDE-2024-066"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-065.txt"
     }
   ],
   "database_specific": {

advisories/unreviewed/2025/01/GHSA-3jm2-936q-55vp/GHSA-3jm2-936q-55vp.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3jm2-936q-55vp",
+  "modified": "2025-01-24T09:30:45Z",
+  "published": "2025-01-24T09:30:45Z",
+  "aliases": [
+    "CVE-2024-13545"
+  ],
+  "details": "The Bootstrap Ultimate theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.9 via the path parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. If php://filter is enabled on the server, this issue may directly lead to Remote Code Execution.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13545"
+    },
+    {
+      "type": "WEB",
+      "url": "https://themes.trac.wordpress.org/browser/bootstrap-ultimate/1.4.9/docs/index.php#L8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae07af10-e5fc-4f28-a343-f56c0e2bc324?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-24T09:15:22Z"
+  }
+}

advisories/unreviewed/2025/01/GHSA-gpj7-cq2g-p88f/GHSA-gpj7-cq2g-p88f.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gpj7-cq2g-p88f",
+  "modified": "2025-01-24T09:30:45Z",
+  "published": "2025-01-24T09:30:45Z",
+  "aliases": [
+    "CVE-2024-13680"
+  ],
+  "details": "The Form Builder CP plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'CP_EASY_FORM_WILL_APPEAR_HERE' shortcode in all versions up to, and including, 1.2.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13680"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/cp-easy-form-builder/tags/1.2.41/cp_easy_form_builder.php#L297"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3214984%40cp-easy-form-builder&new=3214984%40cp-easy-form-builder&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a018fcb1-b7a6-456f-ab0b-59ccc1fd5b67?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-24T07:15:06Z"
+  }
+}

advisories/unreviewed/2025/01/GHSA-vr47-m93h-5gmf/GHSA-vr47-m93h-5gmf.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vr47-m93h-5gmf",
+  "modified": "2025-01-24T09:30:45Z",
+  "published": "2025-01-24T09:30:45Z",
+  "aliases": [
+    "CVE-2024-13683"
+  ],
+  "details": "The Automate Hub Free by Sperse.IO plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.0. This is due to missing or incorrect nonce validation on the 'automate_hub' page. This makes it possible for unauthenticated attackers to update an activation status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13683"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/automate-hub-free-by-sperse-io/trunk/apps/s/sperse/sperse.php#L141"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/automate-hub-free-by-sperse-io"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6d90ca3-dc24-4634-9f98-83a909e3e093?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-24T07:15:08Z"
+  }
+}