Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 1f017a7dafe7 · 2026-01-10T09:32:03.000Z
GHSA-4wfj-gghq-89j5 GHSA-h49h-jpp7-xv85 GHSA-hxh3-g6p5-hhm6 GHSA-q65f-fgmm-q786 GHSA-vvm5-qpfc-95c2
diff --git a/advisories/unreviewed/2026/01/GHSA-4wfj-gghq-89j5/GHSA-4wfj-gghq-89j5.json b/advisories/unreviewed/2026/01/GHSA-4wfj-gghq-89j5/GHSA-4wfj-gghq-89j5.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4wfj-gghq-89j5",
+  "modified": "2026-01-10T09:30:19Z",
+  "published": "2026-01-10T09:30:19Z",
+  "aliases": [
+    "CVE-2025-14976"
+  ],
+  "details": "The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce validation on the 'process_row_actions' function with the 'delete' action. This makes it possible for unauthenticated attackers to delete arbitrary post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14976"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/4.4.8/includes/abstracts/abstract-ur-list-table.php#L290"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3435099/user-registration"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5495b4c-a1ac-4860-83a7-686d9436d983?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-10T09:15:48Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-h49h-jpp7-xv85/GHSA-h49h-jpp7-xv85.json b/advisories/unreviewed/2026/01/GHSA-h49h-jpp7-xv85/GHSA-h49h-jpp7-xv85.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h49h-jpp7-xv85",
+  "modified": "2026-01-10T09:30:19Z",
+  "published": "2026-01-10T09:30:19Z",
+  "aliases": [
+    "CVE-2025-15503"
+  ],
+  "details": "A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15503"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/master-abc/cve/issues/13"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/master-abc/cve/issues/13#issue-3770623333"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.340348"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.340348"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.727253"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-10T09:15:49Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-hxh3-g6p5-hhm6/GHSA-hxh3-g6p5-hhm6.json b/advisories/unreviewed/2026/01/GHSA-hxh3-g6p5-hhm6/GHSA-hxh3-g6p5-hhm6.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hxh3-g6p5-hhm6",
+  "modified": "2026-01-10T09:30:18Z",
+  "published": "2026-01-10T09:30:18Z",
+  "aliases": [
+    "CVE-2025-14943"
+  ],
+  "details": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user has the 'read' capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14943"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Get.php#L243"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Get.php?rev=3423620#L252"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7374db91-4e7d-4db2-9c58-bb9bdda5c85d?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-10T07:16:02Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-q65f-fgmm-q786/GHSA-q65f-fgmm-q786.json b/advisories/unreviewed/2026/01/GHSA-q65f-fgmm-q786/GHSA-q65f-fgmm-q786.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-q65f-fgmm-q786",
+  "modified": "2026-01-10T09:30:18Z",
+  "published": "2026-01-10T09:30:18Z",
+  "aliases": [
+    "CVE-2025-14948"
+  ],
+  "details": "The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14948"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification/tags/4.3.8/notifications/wcsmsnotification/handler/class-woocommercenotifications.php#L138"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification?rev=3423647"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f84ddc83-2079-45b9-8354-51094581b1f8?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-10T07:16:02Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-vvm5-qpfc-95c2/GHSA-vvm5-qpfc-95c2.json b/advisories/unreviewed/2026/01/GHSA-vvm5-qpfc-95c2/GHSA-vvm5-qpfc-95c2.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vvm5-qpfc-95c2",
+  "modified": "2026-01-10T09:30:19Z",
+  "published": "2026-01-10T09:30:19Z",
+  "aliases": [
+    "CVE-2025-15502"
+  ],
+  "details": "A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.8. The affected element is the function SessionController of the file /isomp-protocol/protocol/session. Such manipulation of the argument Hostname leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15502"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/master-abc/cve/issues/14"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/master-abc/cve/issues/14#issue-3770634476"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.340347"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.340347"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.727217"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-10T08:15:48Z"
+  }
+}
