Publish Advisories

GHSA-396v-898v-98hg
GHSA-3h2w-68px-r4v5
GHSA-4qw6-7g5m-4mvh
GHSA-7p8g-rr59-8pqg
GHSA-8mr7-33q4-78g5
GHSA-97w9-v595-3h5q
GHSA-fgmm-c43r-4vvc
GHSA-hpv5-jh7r-pxpv
GHSA-jf8h-fgvq-gw78
GHSA-m8cc-f2ff-3f7p
GHSA-mw5m-g282-gj23
GHSA-q9wg-xwhc-4j78
GHSA-rhr5-9wg9-p26f
GHSA-xc8j-5rr8-8q9r

Author: advisory-database[bot]

advisories/unreviewed/2025/10/GHSA-396v-898v-98hg/GHSA-396v-898v-98hg.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-396v-898v-98hg",
+  "modified": "2025-10-31T09:30:26Z",
+  "published": "2025-10-31T09:30:26Z",
+  "aliases": [
+    "CVE-2025-30189"
+  ],
+  "details": "When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers. No publicly available exploits are known.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30189"
+    },
+    {
+      "type": "WEB",
+      "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2025/oxdc-adv-2025-0001.json"
+    },
+    {
+      "type": "WEB",
+      "url": "http://seclists.org/fulldisclosure/2025/Oct/29"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1250"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T09:15:47Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-3h2w-68px-r4v5/GHSA-3h2w-68px-r4v5.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3h2w-68px-r4v5",
+  "modified": "2025-10-31T09:30:26Z",
+  "published": "2025-10-31T09:30:26Z",
+  "aliases": [
+    "CVE-2025-62232"
+  ],
+  "details": "Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access.\nIt has been fixed in the following commit:  https://github.com/apache/apisix/pull/12629 \nUsers are recommended to upgrade to version 3.14, which fixes this issue.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62232"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/32hdgh570btfhg02hfc7p7ckf9v83259"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2025/10/30/4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-532"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T09:15:48Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-4qw6-7g5m-4mvh/GHSA-4qw6-7g5m-4mvh.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4qw6-7g5m-4mvh",
+  "modified": "2025-10-31T09:30:26Z",
+  "published": "2025-10-31T09:30:26Z",
+  "aliases": [
+    "CVE-2025-12094"
+  ],
+  "details": "The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12094"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/oopspam-anti-spam/tags/1.2.49/include/helpers.php#L268"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3386104/oopspam-anti-spam/trunk/include/helpers.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5137bc2-912b-4e25-966e-515e8d9fc21c?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-693"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T09:15:46Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-7p8g-rr59-8pqg/GHSA-7p8g-rr59-8pqg.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7p8g-rr59-8pqg",
+  "modified": "2025-10-31T09:30:26Z",
+  "published": "2025-10-31T09:30:26Z",
+  "aliases": [
+    "CVE-2025-30191"
+  ],
+  "details": "Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30191"
+    },
+    {
+      "type": "WEB",
+      "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0002.json"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1021"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T09:15:47Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-8mr7-33q4-78g5/GHSA-8mr7-33q4-78g5.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8mr7-33q4-78g5",
+  "modified": "2025-10-31T09:30:26Z",
+  "published": "2025-10-31T09:30:26Z",
+  "aliases": [
+    "CVE-2025-6520"
+  ],
+  "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Abis Technology BAPSIS allows Blind SQL Injection.This issue affects BAPSIS: before 202510271606.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6520"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.usom.gov.tr/bildirim/tr-25-0365"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T08:15:36Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-97w9-v595-3h5q/GHSA-97w9-v595-3h5q.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-97w9-v595-3h5q",
+  "modified": "2025-10-31T09:30:25Z",
+  "published": "2025-10-31T09:30:25Z",
+  "aliases": [
+    "CVE-2025-63675"
+  ],
+  "details": "cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63675"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/javiermorales36/cryptidy-analysis"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/netinvent/cryptidy/blob/cebc9ffd54cc20679d15a1a43ca9a5da645b0c58/cryptidy/symmetric_encryption.py#L220-L238"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T07:15:38Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-fgmm-c43r-4vvc/GHSA-fgmm-c43r-4vvc.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fgmm-c43r-4vvc",
+  "modified": "2025-10-31T09:30:26Z",
+  "published": "2025-10-31T09:30:26Z",
+  "aliases": [
+    "CVE-2025-12175"
+  ],
+  "details": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12175"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/the-events-calendar/the-events-calendar/blob/main/src/Events/QR/QR_Code.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3386042/the-events-calendar/tags/6.15.10/src/Events/QR/QR_Code.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab844a05-80e0-42c7-981c-dea3a18cf4d5?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T09:15:46Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-hpv5-jh7r-pxpv/GHSA-hpv5-jh7r-pxpv.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hpv5-jh7r-pxpv",
+  "modified": "2025-10-31T09:30:25Z",
+  "published": "2025-10-31T09:30:25Z",
+  "aliases": [
+    "CVE-2025-5397"
+  ],
+  "details": "The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the check_login() function not properly verifying a user's identity prior to successfully authenticating them  This makes it possible for unauthenticated attackers to bypass standard authentication and access administrative user accounts. Please note social login needs to be enabled in order for a site to be impacted by this vulnerability.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5397"
+    },
+    {
+      "type": "WEB",
+      "url": "https://themeforest.net/item/jobmonster-job-board-wordpress-theme/10965446"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6fa4aa8d-d7f1-4e91-bb2c-c9f80a4bb216?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-288"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T07:15:37Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-jf8h-fgvq-gw78/GHSA-jf8h-fgvq-gw78.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jf8h-fgvq-gw78",
+  "modified": "2025-10-31T09:30:25Z",
+  "published": "2025-10-31T09:30:25Z",
+  "aliases": [
+    "CVE-2025-7846"
+  ],
+  "details": "The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7846"
+    },
+    {
+      "type": "WEB",
+      "url": "https://codecanyon.net/item/user-extra-fields/12949844"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c66d0fb4-e2df-4bdb-8ccb-18a96173a55d?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-36"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T07:15:38Z"
+  }
+}