Skip to content

Commit cc939f9

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-gx4m-rf3m-46fm GHSA-vppg-gg96-53c9
1 parent 24793a5 commit cc939f9

File tree

2 files changed

+77
-0
lines changed

2 files changed

+77
-0
lines changed

advisories/unreviewed/2025/05/GHSA-gx4m-rf3m-46fm/GHSA-gx4m-rf3m-46fm.json

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-gx4m-rf3m-46fm",
4+
"modified": "2025-05-22T06:30:24Z",
5+
"published": "2025-05-22T06:30:24Z",
6+
"aliases": [
7+
"CVE-2025-5062"
8+
],
9+
"details": "The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5062"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://github.com/woocommerce/woocommerce/pull/53405/files"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://developer.woocommerce.com/2024/12/03/woocommerce-9-4-3-and-woocommerce-9-3-4-available-now"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://github.com/woocommerce/woocommerce/blob/08dbc3b7dea140dd5dc19ee9c9ecd47dac0605b6/plugins/woocommerce/client/admin/client/customize-store/utils.js#L39C1-L56C2"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc2ee5bb-eeb8-4134-8f3f-b411e56457f0?source=cve"
37+
}
38+
],
39+
"database_specific": {
40+
"cwe_ids": [
41+
"CWE-79"
42+
],
43+
"severity": "MODERATE",
44+
"github_reviewed": false,
45+
"github_reviewed_at": null,
46+
"nvd_published_at": "2025-05-22T04:16:22Z"
47+
}
48+
}

advisories/unreviewed/2025/05/GHSA-vppg-gg96-53c9/GHSA-vppg-gg96-53c9.json

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-vppg-gg96-53c9",
4+
"modified": "2025-05-22T06:30:24Z",
5+
"published": "2025-05-22T06:30:24Z",
6+
"aliases": [
7+
"CVE-2025-4133"
8+
],
9+
"details": "The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 8.4.0 does not escape the title of posts when outputting them in a dashboard, which could allow users with the contributor role to perform Cross-Site Scripting attacks.",
10+
"severity": [],
11+
"affected": [],
12+
"references": [
13+
{
14+
"type": "ADVISORY",
15+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4133"
16+
},
17+
{
18+
"type": "WEB",
19+
"url": "https://wpscan.com/vulnerability/ebd7e5f5-af8d-42ca-b6ff-af92e03d4a3e"
20+
}
21+
],
22+
"database_specific": {
23+
"cwe_ids": [],
24+
"severity": null,
25+
"github_reviewed": false,
26+
"github_reviewed_at": null,
27+
"nvd_published_at": "2025-05-22T06:15:57Z"
28+
}
29+
}

0 commit comments

Comments
 (0)