Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit acfb2fc907ff · 2025-10-31T03:32:27.000Z
GHSA-383x-8v44-m82q GHSA-pj6p-fx56-wq5h GHSA-xvmm-73h6-8xgf
diff --git a/advisories/unreviewed/2025/10/GHSA-383x-8v44-m82q/GHSA-383x-8v44-m82q.json b/advisories/unreviewed/2025/10/GHSA-383x-8v44-m82q/GHSA-383x-8v44-m82q.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-383x-8v44-m82q",
+  "modified": "2025-10-31T03:30:23Z",
+  "published": "2025-10-31T03:30:23Z",
+  "aliases": [
+    "CVE-2025-11975"
+  ],
+  "details": "The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_changes() function in all versions up to, and including, 1.1.23.0. This makes it possible for unauthenticated attackers to add and edit sync rules.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11975"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3383939/fusewp/trunk/src/core/src/Admin/SettingsPage/SyncPage.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c68e8a1-926f-497f-b9f2-b0a67cd09adf?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T03:15:34Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-pj6p-fx56-wq5h/GHSA-pj6p-fx56-wq5h.json b/advisories/unreviewed/2025/10/GHSA-pj6p-fx56-wq5h/GHSA-pj6p-fx56-wq5h.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pj6p-fx56-wq5h",
+  "modified": "2025-10-31T03:30:23Z",
+  "published": "2025-10-31T03:30:23Z",
+  "aliases": [
+    "CVE-2025-23050"
+  ],
+  "details": "QLowEnergyController in Qt before 6.8.2 mishandles malformed Bluetooth ATT commands, leading to an out-of-bounds read (or division by zero). This is fixed in 5.15.19, 6.5.9, and 6.8.2.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23050"
+    },
+    {
+      "type": "WEB",
+      "url": "https://codereview.qt-project.org/q/QLowEnergyController"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.qt.io/blog/security-advisory-qlowenergycontroller-on-linux"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T02:15:31Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-xvmm-73h6-8xgf/GHSA-xvmm-73h6-8xgf.json b/advisories/unreviewed/2025/10/GHSA-xvmm-73h6-8xgf/GHSA-xvmm-73h6-8xgf.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xvmm-73h6-8xgf",
+  "modified": "2025-10-31T03:30:23Z",
+  "published": "2025-10-31T03:30:23Z",
+  "aliases": [
+    "CVE-2025-11806"
+  ],
+  "details": "The Qzzr Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'qzzr' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on the 'quiz' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11806"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/qzzr-shortcode/tags/1.0.1/qzzr.php#L35"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/qzzr-shortcode"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5d5d6ec-bb23-4619-b5d9-9bd965b049b5?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T03:15:34Z"
+  }
+}
