updates 2025-01-08

Signed-off-by: Weston Steimel <[email protected]>

data/anchore/2023/CVE-2023-36268.json

@@ -14,6 +14,7 @@
           "cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*"
         ],
         "product": "libreoffice",
+        "repo": "https://git.libreoffice.org/core",
         "vendor": "The Document Foundation",
         "versions": [
           {

data/anchore/2024/CVE-2024-10102.json

@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "wpscan",
+    "cveId": "CVE-2024-10102",
+    "description": "The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.22 does not sanitise and escape some of its Gallery settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://wpscan.com/vulnerability/3b34d1ec-5370-40a8-964e-663f4f9f42f8/"
+    ],
+    "upstream": {
+      "datePublished": "2025-01-07T06:00:02.472Z",
+      "dateReserved": "2024-10-17T17:57:42.476Z",
+      "dateUpdated": "2025-01-07T16:20:52.715Z",
+      "digest": "5866dc059d2d8ce1467759d5fc12296f5efaf90ec56a55fd424879ccea47114d"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:robogallery:robo_gallery:*:*:*:*:*:wordpress:*:*",
+          "cpe:2.3:a:robosoft:robo_gallery:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "robo-gallery",
+        "packageType": "wordpress-plugin",
+        "product": "Photo Gallery, Images, Slider in Rbs Image Gallery",
+        "repo": "https://plugins.svn.wordpress.org/robo-gallery",
+        "vendor": "robosoft",
+        "versions": [
+          {
+            "lessThan": "3.2.22",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-10527.json

@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-10527",
+    "description": "The Spacer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the motech_spacer_callback() function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view limited setting information.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/spacer/tags/3.0.7/index.php#L85",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/112ece28-27ac-4d3c-b302-7acab43390fb?source=cve"
+    ],
+    "upstream": {
+      "datePublished": "2025-01-07T04:21:55.254Z",
+      "dateReserved": "2024-10-30T10:35:32.271Z",
+      "dateUpdated": "2025-01-07T16:26:18.914Z",
+      "digest": "052157767a9589684de3b9868d82d5cd32ed4c7a9a3495b3d7b574da71fc7699"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:clevelandwebdeveloper:spacer:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "spacer",
+        "packageType": "wordpress-plugin",
+        "product": "Spacer",
+        "repo": "https://plugins.svn.wordpress.org/spacer",
+        "vendor": "clevelandwebdeveloper",
+        "versions": [
+          {
+            "lessThanOrEqual": "3.0.7",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-10562.json

@@ -0,0 +1,43 @@
+{
+  "additionalMetadata": {
+    "cna": "wpscan",
+    "cveId": "CVE-2024-10562",
+    "description": "The Form Maker by 10Web  WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://wpscan.com/vulnerability/317f6cb7-774f-4381-a855-858c051aa1d5/"
+    ],
+    "upstream": {
+      "datePublished": "2025-01-07T06:00:03.350Z",
+      "dateReserved": "2024-10-30T19:52:20.557Z",
+      "dateUpdated": "2025-01-07T16:18:08.400Z",
+      "digest": "fbd443069bb7d13c4d4b600b8ed6321af1bf0b7b69c3bec1b1a883d003dd6d14"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:10web:form_maker:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "form-maker",
+        "packageType": "wordpress-plugin",
+        "product": "Form Maker by 10Web",
+        "repo": "https://plugins.svn.wordpress.org/form-maker",
+        "versions": [
+          {
+            "lessThan": "1.15.31",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-10866.json

@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-10866",
+    "description": "The Export Import Menus plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the dsp_export_import_menus() function in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to export menu data and settings.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3213801%40export-import-menus&new=3213801%40export-import-menus&sfp_email=&sfph_mail=",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/08beb583-096d-453c-9690-b46e410afb1b?source=cve"
+    ],
+    "upstream": {
+      "datePublished": "2025-01-07T07:22:32.430Z",
+      "dateReserved": "2024-11-05T14:22:28.306Z",
+      "dateUpdated": "2025-01-07T15:59:02.144Z",
+      "digest": "d74a7495c10a44632c1394659fd69eaa8e9a3e3a1ca72904b6c9f58c5bea0640"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:akshaymenariya:export_import_menus:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "export-import-menus",
+        "packageType": "wordpress-plugin",
+        "product": "Export Import Menus",
+        "repo": "https://plugins.svn.wordpress.org/expert-import-menus",
+        "vendor": "akshay-menariya",
+        "versions": [
+          {
+            "lessThan": "1.9.2",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-11282.json

@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-11282",
+    "description": "The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/changeset/3211004/content-protector",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/11782a65-30b9-400e-8fe0-ab9f05ba5e42?source=cve"
+    ],
+    "upstream": {
+      "datePublished": "2025-01-07T06:40:55.512Z",
+      "dateReserved": "2024-11-15T19:53:58.672Z",
+      "dateUpdated": "2025-01-07T16:55:48.572Z",
+      "digest": "839e9e55b01c04993fa382fab14840c144979b81c7d13afd99b3a69a852e3017"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:passster_project:passter:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "content-protector",
+        "packageType": "wordpress-plugin",
+        "product": "Passster – Password Protect Pages and Content",
+        "repo": "https://plugins.svn.wordpress.org/content-protector",
+        "vendor": "wpchill",
+        "versions": [
+          {
+            "lessThan": "4.2.11",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-11725.json

@@ -0,0 +1,49 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-11725",
+    "description": "The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings() function in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Please note this requires the woocommerce-warranty plugin to be installed in order to be exploited.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/sms-alert/trunk/helper/return-warranty.php#L74",
+      "https://plugins.trac.wordpress.org/changeset/3198056/sms-alert/trunk/helper/return-warranty.php",
+      "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3197777%40sms-alert&new=3197777%40sms-alert&sfp_email=&sfph_mail=",
+      "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3199795%40sms-alert&new=3199795%40sms-alert&sfp_email=&sfph_mail=",
+      "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207391%40sms-alert&new=3207391%40sms-alert&sfp_email=&sfph_mail=",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/33517dba-78ac-4391-a55e-d1f13801b212?source=cve"
+    ],
+    "upstream": {
+      "datePublished": "2025-01-07T06:40:56.260Z",
+      "dateReserved": "2024-11-25T20:41:23.678Z",
+      "dateUpdated": "2025-01-07T17:16:03.368Z",
+      "digest": "844d67c3e0d39897dbcbb94125b702c6ee4ef61db2ff025cd4813e2959a0184c"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:cozyvision:sms_alert_order_notifications:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "sms-alert",
+        "packageType": "wordpress-plugin",
+        "product": "SMS Alert Order Notifications – WooCommerce",
+        "repo": "https://plugins.svn.wordpress.org/sms-alert",
+        "vendor": "cozyvision1",
+        "versions": [
+          {
+            "lessThan": "3.7.7",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-11777.json

@@ -0,0 +1,46 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-11777",
+    "description": "The Sell Media plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sell_media_search_form_gutenberg' shortcode in all versions up to, and including, 2.5.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/sell-media/trunk//gutenberg/blocks/sell-media-search-form/sell-media-search-form.php#L219",
+      "https://wordpress.org/plugins/sell-media/",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a35f0bb-691f-4acf-a30d-4ddabe3b919c?source=cve"
+    ],
+    "upstream": {
+      "datePublished": "2025-01-07T03:21:57.148Z",
+      "dateReserved": "2024-11-26T15:31:22.784Z",
+      "dateUpdated": "2025-01-07T16:28:06.912Z",
+      "digest": "337e6cf51f102d6fdffbf53c6e2e58e8d90cb02f2d6aafff332517a8da23b5ca"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:graphpaperpress:sell_media:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "sell-media",
+        "packageType": "wordpress-plugin",
+        "product": "Sell Media",
+        "repo": "https://plugins.svn.wordpress.org/sell-media",
+        "vendor": "endortrails",
+        "versions": [
+          {
+            "lessThanOrEqual": "2.5.8.5",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-12033.json

@@ -0,0 +1,46 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-12033",
+    "description": "The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the sync_libraries() function in all versions up to, and including, 4.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to sync libraries",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/changeset/3214798/jupiterx-core/trunk/includes/extensions/raven/includes/plugin.php",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e452aa0-bfb9-4805-b2ed-53464a4b5308?source=cve"
+    ],
+    "upstream": {
+      "datePublished": "2025-01-07T11:11:11.179Z",
+      "dateReserved": "2024-12-02T16:10:51.342Z",
+      "dateUpdated": "2025-01-07T14:25:50.999Z",
+      "digest": "c5378a06fd99dbaa4ae66109c504e9b014daf5599d122ae76a0866acfa7793af"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:artbees:jupiter_x_core:*:*:*:*:*:wordpress:*:*",
+          "cpe:2.3:a:artbees:jupiterx:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "jupiterx-core",
+        "packageType": "wordpress-plugin",
+        "product": "Jupiter X Core",
+        "repo": "https://plugins.svn.wordpress.org/jupiterx-core",
+        "vendor": "artbees",
+        "versions": [
+          {
+            "lessThan": "4.8.6",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}