Skip to content

Commit 16f8200

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-v474-g846-5m4r GHSA-x7f7-7836-w8h5
1 parent 7ca20b2 commit 16f8200

2 files changed

Lines changed: 69 additions & 0 deletions

File tree

advisories/unreviewed/2026/03/GHSA-v474-g846-5m4r/GHSA-v474-g846-5m4r.json

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-v474-g846-5m4r",
4+
"modified": "2026-03-28T06:30:24Z",
5+
"published": "2026-03-28T06:30:24Z",
6+
"aliases": [
7+
"CVE-2025-15445"
8+
],
9+
"details": "The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP code execution, and also import demo content that rewrites site configuration, including Restaurant Cafeteria WordPress theme through 0.4.6_mods, pages, menus, and front page settings.",
10+
"severity": [],
11+
"affected": [],
12+
"references": [
13+
{
14+
"type": "ADVISORY",
15+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15445"
16+
},
17+
{
18+
"type": "WEB",
19+
"url": "https://wpscan.com/vulnerability/f3f4a734-5828-4e3f-a170-28189aeda929"
20+
}
21+
],
22+
"database_specific": {
23+
"cwe_ids": [],
24+
"severity": null,
25+
"github_reviewed": false,
26+
"github_reviewed_at": null,
27+
"nvd_published_at": "2026-03-28T06:16:00Z"
28+
}
29+
}

advisories/unreviewed/2026/03/GHSA-x7f7-7836-w8h5/GHSA-x7f7-7836-w8h5.json

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-x7f7-7836-w8h5",
4+
"modified": "2026-03-28T06:30:24Z",
5+
"published": "2026-03-28T06:30:24Z",
6+
"aliases": [
7+
"CVE-2025-12886"
8+
],
9+
"details": "The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator_calc_route AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12886"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://documentation.laborator.co/kb/oxygen/oxygen-release-notes"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c83f430-8a4d-40fa-890c-387c787a3b55?source=cve"
29+
}
30+
],
31+
"database_specific": {
32+
"cwe_ids": [
33+
"CWE-918"
34+
],
35+
"severity": "HIGH",
36+
"github_reviewed": false,
37+
"github_reviewed_at": null,
38+
"nvd_published_at": "2026-03-28T04:16:49Z"
39+
}
40+
}

0 commit comments

Comments
 (0)