Publish Advisories

GHSA-9vmc-526p-2842
GHSA-f94g-c4x5-h33w
GHSA-mrm5-v7mh-6mmq
GHSA-px7q-3g2x-xf8v

Author: advisory-database[bot]

advisories/unreviewed/2025/09/GHSA-9vmc-526p-2842/GHSA-9vmc-526p-2842.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9vmc-526p-2842",
+  "modified": "2025-09-06T09:30:25Z",
+  "published": "2025-09-06T09:30:25Z",
+  "aliases": [
+    "CVE-2025-10029"
+  ],
+  "details": "A security flaw has been discovered in itsourcecode POS Point of Sale System 1.0. This vulnerability affects unknown code of the file /inventory/main/vendors/datatables/unit_testing/templates/complex_header_2.php. Performing manipulation of the argument scripts results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10029"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AlphabugX/CVE-Report/blob/main/CVE-006.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.322744"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.322744"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.643944"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-06T09:15:36Z"
+  }
+}

advisories/unreviewed/2025/09/GHSA-f94g-c4x5-h33w/GHSA-f94g-c4x5-h33w.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f94g-c4x5-h33w",
+  "modified": "2025-09-06T09:30:25Z",
+  "published": "2025-09-06T09:30:25Z",
+  "aliases": [
+    "CVE-2025-10046"
+  ],
+  "details": "The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL Injection via the 'file_to_delete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10046"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.svn.wordpress.org/elex-woocommerce-google-product-feed-plugin-basic/tags/1.4.3/includes/elex-manage-feed-ajax.php#29"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3342699/elex-woocommerce-google-product-feed-plugin-basic/tags/1.4.4/includes/elex-manage-feed-ajax.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0afe37bb-fa8a-4e7b-93c6-c44b3fbeb904?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-06T07:15:33Z"
+  }
+}

advisories/unreviewed/2025/09/GHSA-mrm5-v7mh-6mmq/GHSA-mrm5-v7mh-6mmq.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mrm5-v7mh-6mmq",
+  "modified": "2025-09-06T09:30:25Z",
+  "published": "2025-09-06T09:30:25Z",
+  "aliases": [
+    "CVE-2025-9961"
+  ],
+  "details": "An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500. \n\nThe exploit can only be conducted via a Man-In-The-Middle (MITM) attack. \n\nThis issue affects AX10 V1/V1.2/V2/V2.6/V3/V3.6: before 1.2.1; AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6: before 1.3.11.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9961"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.byteray.co.uk/zero-day-alert-automated-discovery-of-critical-cwmp-stack-overflow-in-tp-link-routers-0bc495a08679"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tp-link.com/us/support/download/archer-ax10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tp-link.com/us/support/download/archer-ax1500"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tp-link.com/us/support/faq/4647"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-120"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-06T07:15:33Z"
+  }
+}

advisories/unreviewed/2025/09/GHSA-px7q-3g2x-xf8v/GHSA-px7q-3g2x-xf8v.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-px7q-3g2x-xf8v",
+  "modified": "2025-09-06T09:30:25Z",
+  "published": "2025-09-06T09:30:25Z",
+  "aliases": [
+    "CVE-2025-10028"
+  ],
+  "details": "A vulnerability was identified in itsourcecode POS Point of Sale System 1.0. This affects an unknown part of the file /inventory/main/vendors/datatables/unit_testing/templates/6776.php. Such manipulation of the argument scripts leads to cross site scripting. The attack can be launched remotely. The exploit is publicly available and might be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10028"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AlphabugX/CVE-Report/blob/main/CVE-005.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.322743"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.322743"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.643943"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-06T07:15:31Z"
+  }
+}