Updates for 2025-02-20

Signed-off-by: Josh Bressers <[email protected]>

data/anchore/2024/CVE-2024-11582.json

@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-11582",
+    "description": "The Subscribe2 – Form, Email Subscribers & Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ip parameter in all versions up to, and including, 10.43 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/subscribe2/tags/10.43/classes/class-s2-list-table.php#L72",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/36777e39-be45-41f2-beca-2971e15b77cd?source=cve"
+    ],
+    "upstream": {
+      "datePublished": "2025-02-19T03:21:11.532Z",
+      "dateReserved": "2024-11-20T22:09:14.355Z",
+      "dateUpdated": "2025-02-19T14:58:22.696Z",
+      "digest": "87d2ab853d85fb2877293a37e03458857b2ddcdcd210c6acf02a6196348cd111"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:subscribe2_project:subscribe2:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "subscribe2",
+        "packageType": "wordpress-plugin",
+        "product": "Subscribe2 – Form, Email Subscribers & Newsletters",
+        "repo": "https://plugins.svn.wordpress.org/subscribe2",
+        "vendor": "wedevs",
+        "versions": [
+          {
+            "lessThan": "10.44",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-13405.json

@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-13405",
+    "description": "The Apptivo Business Site CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce validation on the 'awp_ip_deny' page. This makes it possible for unauthenticated attackers to block IP addresses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://wordpress.org/plugins/apptivo-business-site/",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8225e3c-5413-4406-a31b-80829b6b330a?source=cve"
+    ],
+    "upstream": {
+      "datePublished": "2025-02-19T07:32:15.148Z",
+      "dateReserved": "2025-01-15T16:46:14.750Z",
+      "dateUpdated": "2025-02-19T15:08:08.123Z",
+      "digest": "75a05ca4f0941bec3bd0be0a803dc7703519e5d50a9858af997dca938d821f4e"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:apptivo:apptivo_business_site_crm:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "apptivo-business-site",
+        "packageType": "wordpress-plugin",
+        "product": "Apptivo Business Site CRM",
+        "repo": "https://plugins.svn.wordpress.org/apptivo-business-site",
+        "vendor": "apptivo",
+        "versions": [
+          {
+            "lessThanOrEqual": "5.3",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-13740.json

@@ -22,7 +22,7 @@
         "cpes": [
           "cpe:2.3:a:metagauss:profilegrid:*:*:*:*:*:wordpress:*:*"
         ],
-        "packageName": "profilegrid",
+        "packageName": "profilegrid-user-profiles-groups-and-communities",
         "packageType": "wordpress-plugin",
         "product": "ProfileGrid – User Profiles, Groups and Communities",
         "repo": "https://plugins.svn.wordpress.org/profilegrid",

data/anchore/2024/CVE-2024-13741.json

@@ -23,7 +23,7 @@
         "cpes": [
           "cpe:2.3:a:metagauss:profilegrid:*:*:*:*:*:wordpress:*:*"
         ],
-        "packageName": "profilegrid",
+        "packageName": "profilegrid-user-profiles-groups-and-communities",
         "packageType": "wordpress-plugin",
         "product": "ProfileGrid – User Profiles, Groups and Communities",
         "repo": "https://plugins.svn.wordpress.org/profilegrid",

data/anchore/2024/CVE-2024-13783.json

@@ -25,7 +25,7 @@
           "cpe:2.3:a:ncrafts:formcraft:*:*:*:*:*:wordpress:*:*",
           "cpe:2.3:a:subtlewebinc:formcraft3:*:*:*:*:*:wordpress:*:*"
         ],
-        "packageName": "formcraft-form-builder",
+        "packageName": "formcraft3",
         "packageType": "wordpress-plugin",
         "product": "FormCraft",
         "repo": "https://plugins.svn.wordpress.org/formcraft-form-builder",

data/anchore/2024/CVE-2024-43957.json

@@ -22,7 +22,7 @@
         "vendor": "Sk. Abul Hasan",
         "versions": [
           {
-            "lessThanOrEqual": "1.9",
+            "lessThan": "2.2",
             "status": "affected",
             "version": "0",
             "versionType": "custom"

data/anchore/2025/CVE-2025-0817.json

@@ -25,7 +25,7 @@
           "cpe:2.3:a:ncrafts:formcraft:*:*:*:*:*:wordpress:*:*",
           "cpe:2.3:a:subtlewebinc:formcraft3:*:*:*:*:*:wordpress:*:*"
         ],
-        "packageName": "formcraft-form-builder",
+        "packageName": "formcraft3",
         "packageType": "wordpress-plugin",
         "product": "FormCraft",
         "repo": "https://plugins.svn.wordpress.org/formcraft-form-builder",

data/anchore/2025/CVE-2025-0968.json

@@ -0,0 +1,47 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2025-0968",
+    "description": "The ElementsKit Elementor addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.0  due to a missing capability checks on the get_megamenu_content() function. This makes it possible for unauthenticated attackers to view any item created in Elementor, such as posts, pages and templates including drafts, trashed and private items.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/elementskit-lite/trunk/modules/megamenu/api.php#L47",
+      "https://plugins.trac.wordpress.org/changeset/3237243/",
+      "https://wordpress.org/plugins/elementskit-lite/#developers",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/432ac3b1-8f1d-442f-8e8d-62a1f26ba259?source=cve"
+    ],
+    "upstream": {
+      "datePublished": "2025-02-19T11:10:39.448Z",
+      "dateReserved": "2025-02-01T21:47:17.502Z",
+      "dateUpdated": "2025-02-19T14:37:10.760Z",
+      "digest": "223ea859299f2a7befb06d67cced8328ec2881ea8df196a630ab1603ffab2c69"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:wpmet:elements_kit_elementor_addons:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "elementskit-lite",
+        "packageType": "wordpress-plugin",
+        "product": "ElementsKit Elementor addons",
+        "repo": "https://plugins.svn.wordpress.org/elementskit-lite",
+        "vendor": "xpeedstudio",
+        "versions": [
+          {
+            "lessThan": "3.4.1",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2025/CVE-2025-0999.json

@@ -0,0 +1,41 @@
+{
+  "additionalMetadata": {
+    "cna": "chrome",
+    "cveId": "CVE-2025-0999",
+    "description": "Heap buffer overflow in V8 in Google Chrome prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html",
+      "https://issues.chromium.org/issues/394350433"
+    ],
+    "upstream": {
+      "datePublished": "2025-02-19T16:55:30.675Z",
+      "dateReserved": "2025-02-03T18:04:39.217Z",
+      "dateUpdated": "2025-02-19T20:08:12.953Z",
+      "digest": "df0de1d83073ed8cdd3d4011a4583dcc158d7b1835f96171d4e85a70a45b9290"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"
+        ],
+        "product": "Chrome",
+        "vendor": "Google",
+        "versions": [
+          {
+            "lessThan": "133.0.6943.126",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2025/CVE-2025-1006.json

@@ -0,0 +1,41 @@
+{
+  "additionalMetadata": {
+    "cna": "chrome",
+    "cveId": "CVE-2025-1006",
+    "description": "Use after free in Network in Google Chrome prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted web app. (Chromium security severity: Medium)",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html",
+      "https://issues.chromium.org/issues/390590778"
+    ],
+    "upstream": {
+      "datePublished": "2025-02-19T16:55:31.747Z",
+      "dateReserved": "2025-02-03T21:24:57.862Z",
+      "dateUpdated": "2025-02-19T20:09:48.316Z",
+      "digest": "df0de1d83073ed8cdd3d4011a4583dcc158d7b1835f96171d4e85a70a45b9290"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"
+        ],
+        "product": "Chrome",
+        "vendor": "Google",
+        "versions": [
+          {
+            "lessThan": "133.0.6943.126",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2025/CVE-2025-1065.json

@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2025-1065",
+    "description": "The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Import Data From File feature in all versions up to, and including, 3.11.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/changeset/3240066/visualizer",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/17c1de7b-5178-4fbe-a515-169de4323ae7?source=cve"
+    ],
+    "upstream": {
+      "datePublished": "2025-02-19T05:22:52.516Z",
+      "dateReserved": "2025-02-05T18:14:04.973Z",
+      "dateUpdated": "2025-02-19T14:56:01.047Z",
+      "digest": "bb777eff2c3507e04604480436eddc038108f96d5db5a2f99fc85815ee3b4cf7"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:themeisle:visualizer:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "visualizer",
+        "packageType": "wordpress-plugin",
+        "product": "Visualizer: Tables and Charts Manager for WordPress",
+        "repo": "https://plugins.svn.wordpress.org/visualizer",
+        "vendor": "themeisle",
+        "versions": [
+          {
+            "lessThan": "3.11.9",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2025/CVE-2025-1426.json

@@ -0,0 +1,41 @@
+{
+  "additionalMetadata": {
+    "cna": "chrome",
+    "cveId": "CVE-2025-1426",
+    "description": "Heap buffer overflow in GPU in Google Chrome on Android prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html",
+      "https://issues.chromium.org/issues/383465163"
+    ],
+    "upstream": {
+      "datePublished": "2025-02-19T16:55:31.252Z",
+      "dateReserved": "2025-02-18T14:20:02.551Z",
+      "dateUpdated": "2025-02-19T20:09:06.807Z",
+      "digest": "df0de1d83073ed8cdd3d4011a4583dcc158d7b1835f96171d4e85a70a45b9290"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"
+        ],
+        "product": "Chrome",
+        "vendor": "Google",
+        "versions": [
+          {
+            "lessThan": "133.0.6943.126",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}