From b122c189cbee5fe0d9ea39df868b36e7a8b93511 Mon Sep 17 00:00:00 2001 From: cad-safe-bot Date: Sat, 8 Mar 2025 11:03:49 +0000 Subject: [PATCH] Auto-Update: 2025-03-08T11:00:19.512216+00:00 --- CVE-2024/CVE-2024-103xx/CVE-2024-10321.json | 60 +++++++++++++++++ CVE-2024/CVE-2024-133xx/CVE-2024-13359.json | 68 +++++++++++++++++++ CVE-2024/CVE-2024-138xx/CVE-2024-13816.json | 60 +++++++++++++++++ CVE-2024/CVE-2024-138xx/CVE-2024-13882.json | 60 +++++++++++++++++ CVE-2025/CVE-2025-01xx/CVE-2025-0177.json | 60 +++++++++++++++++ CVE-2025/CVE-2025-12xx/CVE-2025-1287.json | 72 +++++++++++++++++++++ CVE-2025/CVE-2025-13xx/CVE-2025-1322.json | 60 +++++++++++++++++ CVE-2025/CVE-2025-13xx/CVE-2025-1323.json | 60 +++++++++++++++++ CVE-2025/CVE-2025-13xx/CVE-2025-1324.json | 60 +++++++++++++++++ CVE-2025/CVE-2025-13xx/CVE-2025-1325.json | 60 +++++++++++++++++ CVE-2025/CVE-2025-17xx/CVE-2025-1783.json | 64 ++++++++++++++++++ README.md | 21 ++++-- _state.csv | 15 ++++- 13 files changed, 712 insertions(+), 8 deletions(-) create mode 100644 CVE-2024/CVE-2024-103xx/CVE-2024-10321.json create mode 100644 CVE-2024/CVE-2024-133xx/CVE-2024-13359.json create mode 100644 CVE-2024/CVE-2024-138xx/CVE-2024-13816.json create mode 100644 CVE-2024/CVE-2024-138xx/CVE-2024-13882.json create mode 100644 CVE-2025/CVE-2025-01xx/CVE-2025-0177.json create mode 100644 CVE-2025/CVE-2025-12xx/CVE-2025-1287.json create mode 100644 CVE-2025/CVE-2025-13xx/CVE-2025-1322.json create mode 100644 CVE-2025/CVE-2025-13xx/CVE-2025-1323.json create mode 100644 CVE-2025/CVE-2025-13xx/CVE-2025-1324.json create mode 100644 CVE-2025/CVE-2025-13xx/CVE-2025-1325.json create mode 100644 CVE-2025/CVE-2025-17xx/CVE-2025-1783.json diff --git a/CVE-2024/CVE-2024-103xx/CVE-2024-10321.json b/CVE-2024/CVE-2024-103xx/CVE-2024-10321.json new file mode 100644 index 00000000000..12bcc7c963f --- /dev/null +++ b/CVE-2024/CVE-2024-103xx/CVE-2024-10321.json @@ -0,0 +1,60 @@ +{ + "id": "CVE-2024-10321", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-08T09:15:29.657", + "lastModified": "2025-03-08T09:15:29.657", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The All-in-One Addons for Elementor \u2013 WidgetKit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.4 in elements/advanced-tab/template/view.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 2.8, + "impactScore": 1.4 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-200" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/browser/widgetkit-for-elementor/trunk/elements/advanced-tab/template/view.php#L68", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e470017-c453-435d-8342-66874a794537?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-133xx/CVE-2024-13359.json b/CVE-2024/CVE-2024-133xx/CVE-2024-13359.json new file mode 100644 index 00000000000..24de232eafb --- /dev/null +++ b/CVE-2024/CVE-2024-133xx/CVE-2024-13359.json @@ -0,0 +1,68 @@ +{ + "id": "CVE-2024-13359", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-08T10:15:09.977", + "lastModified": "2025-03-08T10:15:09.977", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the add_product_input_fields_to_order_item_meta() function in all versions up to, and including, 1.12.1. This may make it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that by default the plugin is only vulnerable to a double extension file upload attack, unless an administrators leaves the accepted file extensions field blank which can make .php file uploads possible." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH" + }, + "exploitabilityScore": 2.2, + "impactScore": 5.9 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-434" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/browser/product-input-fields-for-woocommerce/tags/-1.8.2/includes/class-alg-wc-pif-main.php", + "source": "security@wordfence.com" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3234567%40product-input-fields-for-woocommerce&new=3234567%40product-input-fields-for-woocommerce&sfp_email=&sfph_mail=", + "source": "security@wordfence.com" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3250201%40product-input-fields-for-woocommerce&new=3250201%40product-input-fields-for-woocommerce&sfp_email=&sfph_mail=", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a9c08f2e-bffd-40a6-89f3-559cb34f4395?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-138xx/CVE-2024-13816.json b/CVE-2024/CVE-2024-138xx/CVE-2024-13816.json new file mode 100644 index 00000000000..54accf24436 --- /dev/null +++ b/CVE-2024/CVE-2024-138xx/CVE-2024-13816.json @@ -0,0 +1,60 @@ +{ + "id": "CVE-2024-13816", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-08T09:15:31.077", + "lastModified": "2025-03-08T09:15:31.077", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability checks on multiple functions in all versions up to, and including, 2.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and delete posts, list and delete batches, list assistant uploaded files, delete personas, delete forms, delete templates, and clear logs. The vulnerability was partially patched in version 2.3.5." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 2.8, + "impactScore": 2.5 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-862" + } + ] + } + ], + "references": [ + { + "url": "https://coderevolution.ro/knowledge-base/faq/full-changelog-aiomatic-automatic-ai-content-writer-editor-gpt-3-gpt-4-chatgpt-chatbot-ai-toolkit/#item-description__changelog", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/69de7d93-b255-4d41-8680-9762ff632804?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-138xx/CVE-2024-13882.json b/CVE-2024/CVE-2024-138xx/CVE-2024-13882.json new file mode 100644 index 00000000000..8c26530a155 --- /dev/null +++ b/CVE-2024/CVE-2024-138xx/CVE-2024-13882.json @@ -0,0 +1,60 @@ +{ + "id": "CVE-2024-13882", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-08T09:15:31.250", + "lastModified": "2025-03-08T09:15:31.250", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_generate_featured_image' function in all versions up to, and including, 2.3.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH" + }, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-434" + } + ] + } + ], + "references": [ + { + "url": "https://coderevolution.ro/knowledge-base/faq/full-changelog-aiomatic-automatic-ai-content-writer-editor-gpt-3-gpt-4-chatgpt-chatbot-ai-toolkit/", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7108df0d-771a-4404-b90d-8ac8bc572898?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-01xx/CVE-2025-0177.json b/CVE-2025/CVE-2025-01xx/CVE-2025-0177.json new file mode 100644 index 00000000000..420b7f94633 --- /dev/null +++ b/CVE-2025/CVE-2025-01xx/CVE-2025-0177.json @@ -0,0 +1,60 @@ +{ + "id": "CVE-2025-0177", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-08T09:15:31.420", + "lastModified": "2025-03-08T09:15:31.420", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The Javo Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.0.0.080. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-269" + } + ] + } + ], + "references": [ + { + "url": "https://themeforest.net/item/javo-directory-wordpress-theme/8390513#item-description__update-history", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d636768-37b4-4343-9028-30e7b1f997f2?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-12xx/CVE-2025-1287.json b/CVE-2025/CVE-2025-12xx/CVE-2025-1287.json new file mode 100644 index 00000000000..e991cdc5a12 --- /dev/null +++ b/CVE-2025/CVE-2025-12xx/CVE-2025-1287.json @@ -0,0 +1,72 @@ +{ + "id": "CVE-2025-1287", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-08T09:15:31.590", + "lastModified": "2025-03-08T09:15:31.590", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The The Plus Addons for Elementor \u2013 Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown, Syntax Highlighter, and Page Scroll widgets in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 3.1, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/6.2.0/modules/widgets/tp_countdown.php#L1868", + "source": "security@wordfence.com" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/6.2.0/modules/widgets/tp_page_scroll.php#L1015", + "source": "security@wordfence.com" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/6.2.0/modules/widgets/tp_syntax_highlighter.php#L1043", + "source": "security@wordfence.com" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3252092/", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbf86da7-621d-4fb7-ba16-d132db5b602a?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-13xx/CVE-2025-1322.json b/CVE-2025/CVE-2025-13xx/CVE-2025-1322.json new file mode 100644 index 00000000000..49ac53060bc --- /dev/null +++ b/CVE-2025/CVE-2025-13xx/CVE-2025-1322.json @@ -0,0 +1,60 @@ +{ + "id": "CVE-2025-1322", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-08T10:15:10.583", + "lastModified": "2025-03-08T10:15:10.583", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The WP-Recall \u2013 Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to view data from password protected, private, or draft posts that they should not have access to." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 2.8, + "impactScore": 1.4 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-200" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/changeset/3250094/wp-recall/trunk/add-on/rcl-chat/core.php", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c667be65-e6d3-40e1-aeec-384d309fde3d?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-13xx/CVE-2025-1323.json b/CVE-2025/CVE-2025-13xx/CVE-2025-1323.json new file mode 100644 index 00000000000..69c988e65d6 --- /dev/null +++ b/CVE-2025/CVE-2025-13xx/CVE-2025-1323.json @@ -0,0 +1,60 @@ +{ + "id": "CVE-2025-1323", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-08T10:15:11.003", + "lastModified": "2025-03-08T10:15:11.003", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The WP-Recall \u2013 Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection via the 'databeat' parameter in all versions up to, and including, 16.26.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-89" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/changeset/3250094/wp-recall/trunk/add-on/rcl-chat/core.php", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae5b4d81-c2f1-4d0d-b7b0-5556bf0451f5?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-13xx/CVE-2025-1324.json b/CVE-2025/CVE-2025-13xx/CVE-2025-1324.json new file mode 100644 index 00000000000..4f06380b85c --- /dev/null +++ b/CVE-2025/CVE-2025-13xx/CVE-2025-1324.json @@ -0,0 +1,60 @@ +{ + "id": "CVE-2025-1324", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-08T10:15:11.217", + "lastModified": "2025-03-08T10:15:11.217", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The WP-Recall \u2013 Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'public-form' shortcode in all versions up to, and including, 16.26.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 3.1, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/changeset/3250094/wp-recall/trunk/add-on/publicpost/shortcodes.php", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e0be093-d61a-4634-ba9b-91dd7328e8cd?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-13xx/CVE-2025-1325.json b/CVE-2025/CVE-2025-13xx/CVE-2025-1325.json new file mode 100644 index 00000000000..5b0941137d7 --- /dev/null +++ b/CVE-2025/CVE-2025-13xx/CVE-2025-1325.json @@ -0,0 +1,60 @@ +{ + "id": "CVE-2025-1325", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-08T10:15:11.427", + "lastModified": "2025-03-08T10:15:11.427", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The WP-Recall \u2013 Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rcl_preview_post' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "LOW" + }, + "exploitabilityScore": 2.8, + "impactScore": 3.4 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-862" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/changeset/3250094/wp-recall/trunk/add-on/publicpost/functions-ajax.php", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ad3b9040-05ed-452d-9b3f-26d1a93c62ba?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-17xx/CVE-2025-1783.json b/CVE-2025/CVE-2025-17xx/CVE-2025-1783.json new file mode 100644 index 00000000000..a036758f93a --- /dev/null +++ b/CVE-2025/CVE-2025-17xx/CVE-2025-1783.json @@ -0,0 +1,64 @@ +{ + "id": "CVE-2025-1783", + "sourceIdentifier": "security@wordfence.com", + "published": "2025-03-08T10:15:11.647", + "lastModified": "2025-03-08T10:15:11.647", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "The Gallery Styles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery Block in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 3.1, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@wordfence.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://plugins.trac.wordpress.org/browser/gallery-styles/tags/1.3.4/gallery-styles.php#L34", + "source": "security@wordfence.com" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3251908/gallery-styles/trunk/gallery-styles.php", + "source": "security@wordfence.com" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9443e36-648c-4984-8b06-28e9da959e26?source=cve", + "source": "security@wordfence.com" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index a038397d7c4..806cd51136f 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2025-03-08T09:00:19.843552+00:00 +2025-03-08T11:00:19.512216+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2025-03-08T07:15:10.690000+00:00 +2025-03-08T10:15:11.647000+00:00 ``` ### Last Data Feed Release @@ -33,15 +33,24 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -284535 +284546 ``` ### CVEs added in the last Commit -Recently added CVEs: `2` +Recently added CVEs: `11` -- [CVE-2024-11087](CVE-2024/CVE-2024-110xx/CVE-2024-11087.json) (`2025-03-08T07:15:09.720`) -- [CVE-2024-13908](CVE-2024/CVE-2024-139xx/CVE-2024-13908.json) (`2025-03-08T07:15:10.690`) +- [CVE-2024-10321](CVE-2024/CVE-2024-103xx/CVE-2024-10321.json) (`2025-03-08T09:15:29.657`) +- [CVE-2024-13359](CVE-2024/CVE-2024-133xx/CVE-2024-13359.json) (`2025-03-08T10:15:09.977`) +- [CVE-2024-13816](CVE-2024/CVE-2024-138xx/CVE-2024-13816.json) (`2025-03-08T09:15:31.077`) +- [CVE-2024-13882](CVE-2024/CVE-2024-138xx/CVE-2024-13882.json) (`2025-03-08T09:15:31.250`) +- [CVE-2025-0177](CVE-2025/CVE-2025-01xx/CVE-2025-0177.json) (`2025-03-08T09:15:31.420`) +- [CVE-2025-1287](CVE-2025/CVE-2025-12xx/CVE-2025-1287.json) (`2025-03-08T09:15:31.590`) +- [CVE-2025-1322](CVE-2025/CVE-2025-13xx/CVE-2025-1322.json) (`2025-03-08T10:15:10.583`) +- [CVE-2025-1323](CVE-2025/CVE-2025-13xx/CVE-2025-1323.json) (`2025-03-08T10:15:11.003`) +- [CVE-2025-1324](CVE-2025/CVE-2025-13xx/CVE-2025-1324.json) (`2025-03-08T10:15:11.217`) +- [CVE-2025-1325](CVE-2025/CVE-2025-13xx/CVE-2025-1325.json) (`2025-03-08T10:15:11.427`) +- [CVE-2025-1783](CVE-2025/CVE-2025-17xx/CVE-2025-1783.json) (`2025-03-08T10:15:11.647`) ### CVEs modified in the last Commit diff --git a/_state.csv b/_state.csv index 971c836551a..00dff9cebb4 100644 --- a/_state.csv +++ b/_state.csv @@ -244534,6 +244534,7 @@ CVE-2024-10318,0,0,1208a954737503f9ae621559bc099386d5e97f2e4507045726c3130f57b32 CVE-2024-10319,0,0,68d02b703a0a786e535b0c06357fe7c6d9a4d92b566f67658115227be405d0f3,2024-11-08T15:25:16.317000 CVE-2024-1032,0,0,c6d8d12d638c10dd834e783d36f86ba17d33a36b799d5e13aadbdfedd22b0728,2024-11-21T08:49:38.587000 CVE-2024-10320,0,0,727a463e6d691153e4adf6d21dfba57d62d85f0e63e6347b0c5272cff36a9bf2,2024-12-06T09:15:04.710000 +CVE-2024-10321,1,1,da1c1d01bfd86779c48eac76a82f4a44680288327e3611217ac5778e8a964a4d,2025-03-08T09:15:29.657000 CVE-2024-10322,0,0,65e160abc627e6b2fb9f1eeeb2a4000315ec9c0044ac5b8e323b66f8d27f2ca9,2025-02-20T20:40:34.440000 CVE-2024-10323,0,0,74c01ce4124a9449f0a3de143c2d6269eaaed2dcc05dfdfdac09c2b033a02614,2025-02-05T17:18:49.550000 CVE-2024-10324,0,0,cfaeca60a4f0aa309330a37a66e2005b2fce423bc7c33f12b5f1c3188e784a63,2025-02-04T19:41:41.250000 @@ -245230,7 +245231,7 @@ CVE-2024-11082,0,0,2068f4ddbc0d21e33db6ba3989176bd5aedcb5da6f30a07d96e2944d8ba88 CVE-2024-11083,0,0,8060d1be07c2085add29a68ce088e46bf1b117fbd5e8fe231b842cd4d2355c1d,2024-11-27T06:15:17.707000 CVE-2024-11085,0,0,997988ac78259b1ae8db8c6e9651c22f46fbbaea4f307171e6fff12e9b424710,2024-11-18T17:11:17.393000 CVE-2024-11086,0,0,f4d7f35e95dad05e023fed49ac9e59da09a947f51bc79e0e10dc6b97e93d7482,2024-11-20T13:15:04.020000 -CVE-2024-11087,1,1,848ba3dab32ff0162f5d034f77bfa9e62fe8169091600aa61dde0d51e75daeb2,2025-03-08T07:15:09.720000 +CVE-2024-11087,0,0,848ba3dab32ff0162f5d034f77bfa9e62fe8169091600aa61dde0d51e75daeb2,2025-03-08T07:15:09.720000 CVE-2024-11088,0,0,63268aae491d1c648e7cfec2d8bb4b9b8988c9a8de960fef99629298e381225d,2024-11-21T15:15:21.097000 CVE-2024-11089,0,0,0f46a9a629be88f215b4a7ad0d79575a4e3b0caab898de683427fa2e5561e411,2024-11-21T15:15:21.500000 CVE-2024-1109,0,0,a7b1e71489d6774ecfe851782646b725fb9b27ab957ae0f8b7f311d63d7950f6,2024-11-21T08:49:48.980000 @@ -247353,6 +247354,7 @@ CVE-2024-13354,0,0,70c8df8ffc765e671782c1c5275e6f7668ade0103b0f3f6fd1920147a9a81 CVE-2024-13355,0,0,b14926ff025e929de229a84af4734d711f0473d16ba82bc6498a7b20173af029,2025-01-16T10:15:08.750000 CVE-2024-13356,0,0,4c62ebf770eb8ffd31345cb0ef6c5025a9e134a147f2b545dcf049e579341f09,2025-02-04T10:15:07.920000 CVE-2024-13358,0,0,b1c8c907a5b672a39adc84aa5bad4ea5001bafb396499be4fc518e46c65a928d,2025-03-01T04:15:09.550000 +CVE-2024-13359,1,1,df76a7fae90c0c3618e5cfaf0bc4ad676abf7e64e8eef5848c9e384e16259fd1,2025-03-08T10:15:09.977000 CVE-2024-1336,0,0,5ac217bb74b5afa6bf4a3181b1971e5eb197bf861678b67cc85953b7d0e71d82,2024-12-31T16:51:04.857000 CVE-2024-13360,0,0,42c7ef7264873842b1b321dcb1d9eb02287e4b9dd082710569d0b72683473221,2025-01-24T18:58:46.177000 CVE-2024-13361,0,0,796ae81aa903e35e91be1aa59cd637cc5eee53bc205bb2f1ae10309102da0980,2025-01-24T18:55:22.577000 @@ -247758,6 +247760,7 @@ CVE-2024-13811,0,0,5b94a426632e0b7858178241c275865820be67c397c2529c7a30884806a0b CVE-2024-13813,0,0,fdc4ad5ea8556267af57de167767e42189cf8d83fe0a9d1183500203243c2b38,2025-02-20T15:56:04.087000 CVE-2024-13814,0,0,1eaa34671c59ff347de019eb0f7db92c91d554728619786a007d058e64ccd6e0,2025-02-18T21:30:00.523000 CVE-2024-13815,0,0,c26d747b30e16449187df89ae1a63f232878b2518b742ef230f0e1b934e49302,2025-03-05T10:15:18.210000 +CVE-2024-13816,1,1,cc0ed660c4e98ec0c8e0139557ba1a1f397c873674f832242bf2408bfc3089b8,2025-03-08T09:15:31.077000 CVE-2024-13817,0,0,b5a69d8e5693042f6213842e77c8ea5e9adad031b258d4d25f98e0b0bd22c27b,2025-01-31T03:15:10.910000 CVE-2024-13818,0,0,b34cef01cb19d809209555e3902d48d3c034a9e483326b43d02f63f2eb6722a8,2025-02-25T17:03:16.093000 CVE-2024-1382,0,0,46ba372cc585c5cc80406db23ae24542751b0e1ef43905cbc6e0bcf967676a5e,2025-01-21T17:04:33.737000 @@ -247800,6 +247803,7 @@ CVE-2024-1387,0,0,8e6bcbdaec79085616e17d0cff8f7e9074033b4370339ebb2fb375231d6ccb CVE-2024-13873,0,0,ef7d81633c3243b5a662796d38d39a610ff44d855cd436a1a77aa5716496d20c,2025-02-22T04:15:09.567000 CVE-2024-13879,0,0,840cef42e99ba3012c3b31f8bded69776814665d9c25d0869b7b55ae4acecc40,2025-02-17T16:15:15.950000 CVE-2024-1388,0,0,4055ac29f5fc98e5c697dde8e9fd854a4a3e80aad935e1d1af922e2721330e53,2025-01-16T15:18:18.140000 +CVE-2024-13882,1,1,d23d49c98387f6442c8f9aba1e2405a91c54af6f21f17367597a68563af5b8f3,2025-03-08T09:15:31.250000 CVE-2024-13883,0,0,1e82cdf8d40eea1cf0fdba117374eff50482e8082835729e73b8298b4bf2a5eb,2025-02-25T03:39:21.267000 CVE-2024-13888,0,0,45ea465fd1196bf38b8c341b411c16c5302500649feb2c402e910f2e8aae7f79,2025-02-25T20:39:44.927000 CVE-2024-1389,0,0,44c915b89d8f24815db27dcf9521c10fcca5d968291afb2cbd201094aadb9d12,2025-01-27T17:15:51.567000 @@ -247818,7 +247822,7 @@ CVE-2024-13904,0,0,6ed46fabfefc9c5da61282f47ce5a7f4388439dd6fcf28ed8981cf00c9bb3 CVE-2024-13905,0,0,94a06017058e47ea224d64f1fcc59573ef0629f841649e95825b26eac6b9c491,2025-02-27T05:15:13.610000 CVE-2024-13906,0,0,49d3c886d6eb569e3be95840598d3644d2e3a759a922a1777a4a1a594b4b6b41,2025-03-07T08:15:37.467000 CVE-2024-13907,0,0,f2da3425f3470ad3127836884558cd2ad3921d2f9bdfdbcb35d8a21b911174f4,2025-02-27T07:15:33.543000 -CVE-2024-13908,1,1,b02feb571c3f56395c71015215fc0c37a39f6c271a94ae36e8f1cf1686537b5a,2025-03-08T07:15:10.690000 +CVE-2024-13908,0,0,b02feb571c3f56395c71015215fc0c37a39f6c271a94ae36e8f1cf1686537b5a,2025-03-08T07:15:10.690000 CVE-2024-1391,0,0,fccbf24dfb651f372e2b51106217c90f4de85c1f936edcd91290184be12fa7b9,2025-01-17T19:52:57.843000 CVE-2024-13910,0,0,1da974c8b4278339ddaf4e1b70396d7d0139387963424ab28e0cb7907c842a5e,2025-03-01T09:15:09.517000 CVE-2024-13911,0,0,5c6ec30a98a23b22a75401ffb9290b39df569bd0f5609894fc8fdc52c5d0d4f8,2025-03-01T08:15:33.803000 @@ -280205,6 +280209,7 @@ CVE-2025-0173,0,0,f8b0314ed39e527fabb4cd92dfd81e3169abbd8b79f7d02c23b85a331bfa3d CVE-2025-0174,0,0,2781e194f9798c75bf0ec32dea68200ca4aca4903740e2d2b80a2f0be0df417e,2025-02-25T22:42:09.023000 CVE-2025-0175,0,0,80758939dc78975a0b0f11b5122318c85771cff4c6d6324f77ed7ad227d42c7f,2025-02-25T22:42:22.270000 CVE-2025-0176,0,0,4f166ededfe603f7b909f38bf43e5476f4c4acc90bc4bca3384ed33dd9906445,2025-01-03T15:15:11.360000 +CVE-2025-0177,1,1,51fc39af6d3f2140426d8a331c9fc94d9dafec3f019efc3bb9078a88e2f86525,2025-03-08T09:15:31.420000 CVE-2025-0178,0,0,944748b325d4376009262d91b41fb752899bf5d01e4dc12f97d2cde619932e0c,2025-02-14T14:15:32.403000 CVE-2025-0180,0,0,45564097f8949edeaed9ca9ee45d4b95a2a515d148fe7f516835a6a631636cf0,2025-02-11T07:15:29.277000 CVE-2025-0181,0,0,3daa095a8ef29b155e27eb528b6494dc885d5fb57d0193f8fe2a690199fb3ae3,2025-02-11T07:15:29.827000 @@ -280910,6 +280915,7 @@ CVE-2025-1270,0,0,a0fba4bca59afda304bf8335640266a3acf6a1624640bee675db51d94e9fc4 CVE-2025-1271,0,0,0359319eae8a142a0720b34e58c3d3808902c47ddd06a524c0e8a18f2f2f366a,2025-02-13T13:15:09.433000 CVE-2025-1282,0,0,135e0d0f84484b53270653b79f9e366f1c0baa627fbaf4af3fe538f7cdb33c50,2025-02-27T09:15:10.160000 CVE-2025-1283,0,0,4175667403ef8488e39c5e8c2dd94a274e533a8ac41a5d588031878a218b6b1e,2025-03-04T20:59:05.417000 +CVE-2025-1287,1,1,37b8d6e5bb02fec4db4fe6ebb7f78e649494f82b2a965d784db2bbf955be9dfb,2025-03-08T09:15:31.590000 CVE-2025-1291,0,0,bb482c13e6ea46eaa51479ea468a757d12dfa1292b1f2ec778322441cd52e4d5,2025-03-01T09:15:09.710000 CVE-2025-1293,0,0,60a11b51b89461cf0f7c120de5ab3c93294ee5f6a5e19d6ba8d0bb06e8828d44,2025-02-20T01:15:09.950000 CVE-2025-1295,0,0,24bdaaeb758634ffe52b87573cb2760c08e1a07ac9682ba1ed20b65d22033cf6,2025-02-27T06:15:21.990000 @@ -280923,6 +280929,10 @@ CVE-2025-1315,0,0,5be04aa629598e4be5d357c662948434207fa248de797d14003b93bcf9fdac CVE-2025-1316,0,0,f932f98d5a32b1e0c223e88762610c5952375892982b9e178aa7ca013cbd0ec3,2025-03-05T00:15:35.057000 CVE-2025-1319,0,0,33bda93fd3980ba7b6a91272d6a6ae7036010f8fa7bdd3f4dc099ca7b24e3ab8,2025-03-06T15:00:16.447000 CVE-2025-1321,0,0,fe193fa44353594440aac216be48f78f1d1914788baa79c358bb03fb8eb369f9,2025-03-04T04:15:11.547000 +CVE-2025-1322,1,1,ef532a524b09825661ab421375ab624604880ea49516d5ffa6abd3daa6646678,2025-03-08T10:15:10.583000 +CVE-2025-1323,1,1,033b81ac968bdbd8998abfe50ff1029213aaccbbd88f79ffcc07fefd27cf79c7,2025-03-08T10:15:11.003000 +CVE-2025-1324,1,1,7683703969288304647be96e6e18acedc0aaa47738bdb4c92e55ffe9d48662b4,2025-03-08T10:15:11.217000 +CVE-2025-1325,1,1,b4fb99b87c595d4997dd2b75e32d285cdf4b5b8e9910ed9f6bc4a7a9a97b0ede,2025-03-08T10:15:11.427000 CVE-2025-1328,0,0,e2b9ad996048bde72d17ec9a6affa826b875b275e51ef749199b511eae0ab088,2025-02-25T18:03:46.410000 CVE-2025-1332,0,0,04253da72e8edd91cac77b4f2ad8533b669f4d496d09ec3f2573f85295be125b,2025-02-16T01:15:20.440000 CVE-2025-1335,0,0,bb409ff99c8e3378896a9535373b62c93c367d19339145f6746127b81b9cf3e2,2025-02-28T19:47:07.220000 @@ -281125,6 +281135,7 @@ CVE-2025-1757,0,0,78b33a074cf39bfe778889068f984255867e6a5fb09e8f531bc6334acbd95f CVE-2025-1768,0,0,e21e53cb16776247b7fcdb1da98b2a5a84bc79fed4b5aeb36139ff1ea1a21bd9,2025-03-07T11:15:15.653000 CVE-2025-1776,0,0,1a12423b233b2ef4ba69976c3f13498310a33efb7f09102cfb934a1191ac53f0,2025-02-28T14:15:35.943000 CVE-2025-1780,0,0,226a30a5273cda636f0411ff11753517352eef60dfa6b2b998a1836a6dc818bf,2025-03-01T04:15:09.713000 +CVE-2025-1783,1,1,7fcaf339289a48edd534e2424306b8cd911988b21bbe826dd21f100c86d4c9de,2025-03-08T10:15:11.647000 CVE-2025-1786,0,0,6efea7c83ade59c3484e3ccdf6b16455298d78bd2d350ead5c28c52e73509d8e,2025-03-03T21:15:16.130000 CVE-2025-1788,0,0,65633b0fdde44bd6e8f752d6a57d4e3e26e3a2eb678db1c79ca98769400305da,2025-03-03T21:15:16.263000 CVE-2025-1791,0,0,3c9031f43c5aed2d49ec4c2e3a617d4eaa134c60206475ea4448611f5ca2f51c,2025-03-03T21:15:16.433000