Publish Advisories

GHSA-x2wr-f89p-cqwh
GHSA-54j9-9c57-rpf4
GHSA-5cm4-3q8m-3rc4
GHSA-6pg6-wx4c-whr2
GHSA-986f-m5hr-mcqp
GHSA-h2wm-f556-x8mx
GHSA-h47x-p4xp-xqjf
GHSA-hvhr-x55p-8qm9
GHSA-mjxj-p494-qx82
GHSA-p5fv-fcvc-66v7
GHSA-px95-m842-v7xq
GHSA-r7v3-v8mw-xqf9
GHSA-xrr8-pmp3-3j6q

Author: advisory-database[bot]

advisories/unreviewed/2026/03/GHSA-x2wr-f89p-cqwh/GHSA-x2wr-f89p-cqwh.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x2wr-f89p-cqwh",
-  "modified": "2026-03-19T18:31:17Z",
+  "modified": "2026-04-04T09:30:25Z",
   "published": "2026-03-19T12:30:32Z",
   "aliases": [
     "CVE-2006-10003"
@@ -27,6 +27,10 @@
       "type": "WEB",
       "url": "https://github.com/cpan-authors/XML-Parser/commit/3eb9cc95420fa0c3f76947c4708962546bf27cfd.patch"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00002.html"
+    },
     {
       "type": "WEB",
       "url": "https://rt.cpan.org/Ticket/Display.html?id=19860"

advisories/unreviewed/2026/04/GHSA-54j9-9c57-rpf4/GHSA-54j9-9c57-rpf4.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-54j9-9c57-rpf4",
+  "modified": "2026-04-04T09:30:25Z",
+  "published": "2026-04-04T09:30:25Z",
+  "aliases": [
+    "CVE-2026-2437"
+  ],
+  "details": "The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2437"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3467196/wp-travel-engine/tags/6.7.6/includes/class-wp-travel-engine-custom-shortcodes.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46731877-03e1-4552-8993-3b121b457b1b?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-04T09:16:20Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-5cm4-3q8m-3rc4/GHSA-5cm4-3q8m-3rc4.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5cm4-3q8m-3rc4",
+  "modified": "2026-04-04T09:30:25Z",
+  "published": "2026-04-04T09:30:25Z",
+  "aliases": [
+    "CVE-2026-0737"
+  ],
+  "details": "The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the su_lightbox shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0737"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.8/includes/shortcodes/lightbox.php?marks=69#L69"
+    },
+    {
+      "type": "WEB",
+      "url": "https://research.cleantalk.org/cve-2026-0737"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62a9c9f4-ace4-4029-a720-5ea077e98be4?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-04T08:16:06Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-6pg6-wx4c-whr2/GHSA-6pg6-wx4c-whr2.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6pg6-wx4c-whr2",
+  "modified": "2026-04-04T09:30:25Z",
+  "published": "2026-04-04T09:30:25Z",
+  "aliases": [
+    "CVE-2025-13368"
+  ],
+  "details": "The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and including, 1.4.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13368"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3432667/xpro-elementor-addons"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d83ae3a4-382f-4e64-bf1e-73f953f2f654?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-04T08:16:04Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-986f-m5hr-mcqp/GHSA-986f-m5hr-mcqp.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-986f-m5hr-mcqp",
+  "modified": "2026-04-04T09:30:25Z",
+  "published": "2026-04-04T09:30:25Z",
+  "aliases": [
+    "CVE-2026-3445"
+  ],
+  "details": "The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to unauthorized membership payment bypass in all versions up to, and including, 4.16.11. This is due to a missing ownership verification on the `change_plan_sub_id` parameter in the `process_checkout()` function. This makes it possible for authenticated attackers, with subscriber level access and above, to reference another user's active subscription during checkout to manipulate proration calculations, allowing them to obtain paid lifetime membership plans without payment via the `ppress_process_checkout` AJAX action.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3445"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3474509%40wp-user-avatar%2Ftrunk&old=3473639%40wp-user-avatar%2Ftrunk&sfp_email=&sfph_mail=#file3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae1e198b-0c0d-47aa-8a56-ec4e790c8022?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-04T09:16:20Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-h2wm-f556-x8mx/GHSA-h2wm-f556-x8mx.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h2wm-f556-x8mx",
+  "modified": "2026-04-04T09:30:25Z",
+  "published": "2026-04-04T09:30:25Z",
+  "aliases": [
+    "CVE-2026-2600"
+  ],
+  "details": "The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ekit_tab_title' parameter in the Simple Tab widget in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2600"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3468265/elementskit-lite/trunk/widgets/tab/tab.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c33c640-0876-4b07-829e-35cae445b420?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-04T08:16:06Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-h47x-p4xp-xqjf/GHSA-h47x-p4xp-xqjf.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h47x-p4xp-xqjf",
+  "modified": "2026-04-04T09:30:25Z",
+  "published": "2026-04-04T09:30:25Z",
+  "aliases": [
+    "CVE-2026-2826"
+  ],
+  "details": "The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user has the `upload_files` capability in the `process_pattern` REST API endpoint. This makes it possible for authenticated attackers, with contributor level access and above, to upload images to the WordPress Media Library by supplying remote image URLs that the server downloads and creates as media attachments.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2826"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.4/includes/class-kadence-blocks-prebuilt-library-rest-api.php#L1224"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f91df7e-5d9d-4a3a-9afc-d771106a0be6?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-04T09:16:20Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-hvhr-x55p-8qm9/GHSA-hvhr-x55p-8qm9.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hvhr-x55p-8qm9",
+  "modified": "2026-04-04T09:30:25Z",
+  "published": "2026-04-04T09:30:25Z",
+  "aliases": [
+    "CVE-2026-5425"
+  ],
+  "details": "The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'feed_data' parameter keys in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5425"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?old_path=social-photo-feed-widget/tags/1.7.8/social-photo-feed-widget.php&new_path=social-photo-feed-widget/tags/1.8/social-photo-feed-widget.php&old=3440215&new=3486529"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?old_path=social-photo-feed-widget/tags/1.7.8/trustindex-feed-plugin.class.php&new_path=social-photo-feed-widget/tags/1.8/trustindex-feed-plugin.class.php&old=3440215&new=3486529"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2584097a-8955-41c7-b009-c6502fe8b99b?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-04T09:16:20Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-mjxj-p494-qx82/GHSA-mjxj-p494-qx82.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mjxj-p494-qx82",
+  "modified": "2026-04-04T09:30:25Z",
+  "published": "2026-04-04T09:30:25Z",
+  "aliases": [
+    "CVE-2026-4896"
+  ],
+  "details": "The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4896"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-ajax.php?marks=644,880#L644"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-article.php?marks=271#L271"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8248098-dff2-4bac-a138-aa40c7ab7a1c?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-04T08:16:06Z"
+  }
+}