Publish Advisories

GHSA-v6c5-9mp4-mwq4
GHSA-287g-7jjx-c8p9
GHSA-3f72-4h68-jc27
GHSA-6q79-hwrv-jc95
GHSA-6xqr-w87w-hx3g
GHSA-83hv-jw3v-m24m
GHSA-ggjc-mc42-xpcw
GHSA-gp53-f4cj-7qqg
GHSA-hw97-rjpm-g922
GHSA-v3h3-r67m-6xv9

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-v6c5-9mp4-mwq4/GHSA-v6c5-9mp4-mwq4.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v6c5-9mp4-mwq4",
-  "modified": "2026-03-05T12:30:30Z",
+  "modified": "2026-03-19T06:30:27Z",
   "published": "2025-11-26T15:34:12Z",
   "aliases": [
     "CVE-2025-13601"
@@ -35,6 +35,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-13601"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:4419"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:3415"

advisories/unreviewed/2026/03/GHSA-287g-7jjx-c8p9/GHSA-287g-7jjx-c8p9.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-287g-7jjx-c8p9",
+  "modified": "2026-03-19T06:30:27Z",
+  "published": "2026-03-19T06:30:27Z",
+  "aliases": [
+    "CVE-2026-28044"
+  ],
+  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28044"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/wordpress/plugin/wp-rocket/vulnerability/wordpress-wp-rocket-plugin-3-19-4-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T06:16:26Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-3f72-4h68-jc27/GHSA-3f72-4h68-jc27.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3f72-4h68-jc27",
+  "modified": "2026-03-19T06:30:27Z",
+  "published": "2026-03-19T06:30:27Z",
+  "aliases": [
+    "CVE-2026-27413"
+  ],
+  "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a through 3.13.9.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27413"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/wordpress/plugin/profile-builder-pro/vulnerability/wordpress-profile-builder-pro-plugin-3-13-9-sql-injection-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T06:16:25Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-6q79-hwrv-jc95/GHSA-6q79-hwrv-jc95.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6q79-hwrv-jc95",
+  "modified": "2026-03-19T06:30:27Z",
+  "published": "2026-03-19T06:30:27Z",
+  "aliases": [
+    "CVE-2026-27397"
+  ],
+  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: from n/a through 9.5.4.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27397"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/wordpress/plugin/really-simple-ssl-pro/vulnerability/wordpress-really-simple-security-pro-plugin-9-5-3-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T06:16:25Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-6xqr-w87w-hx3g/GHSA-6xqr-w87w-hx3g.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6xqr-w87w-hx3g",
+  "modified": "2026-03-19T06:30:27Z",
+  "published": "2026-03-19T06:30:27Z",
+  "aliases": [
+    "CVE-2026-27542"
+  ],
+  "details": "Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture allows Privilege Escalation.This issue affects Woocommerce Wholesale Lead Capture: from n/a through 2.0.3.1.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27542"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/wordpress/plugin/woocommerce-wholesale-lead-capture/vulnerability/wordpress-woocommerce-wholesale-lead-capture-plugin-1-17-8-privilege-escalation-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-266"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T06:16:25Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-83hv-jw3v-m24m/GHSA-83hv-jw3v-m24m.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-83hv-jw3v-m24m",
+  "modified": "2026-03-19T06:30:27Z",
+  "published": "2026-03-19T06:30:27Z",
+  "aliases": [
+    "CVE-2026-28070"
+  ],
+  "details": "Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through v10.2.2.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28070"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/wordpress/plugin/wp-emember/vulnerability/wordpress-wp-emember-plugin-v10-2-2-broken-access-control-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T06:16:26Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-ggjc-mc42-xpcw/GHSA-ggjc-mc42-xpcw.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ggjc-mc42-xpcw",
+  "modified": "2026-03-19T06:30:27Z",
+  "published": "2026-03-19T06:30:27Z",
+  "aliases": [
+    "CVE-2026-28073"
+  ],
+  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28073"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/wordpress/plugin/wp-emember/vulnerability/wordpress-wp-emember-theme-v10-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T06:16:26Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-gp53-f4cj-7qqg/GHSA-gp53-f4cj-7qqg.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gp53-f4cj-7qqg",
+  "modified": "2026-03-19T06:30:27Z",
+  "published": "2026-03-19T06:30:27Z",
+  "aliases": [
+    "CVE-2026-1238"
+  ],
+  "details": "The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1238"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.5/admin/view/right-now.php#L185"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.5/wp-slimstat.php#L1948"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3477417"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e991fbdf-8e26-4d2e-8e3b-c8990914dcad?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T05:15:59Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-hw97-rjpm-g922/GHSA-hw97-rjpm-g922.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hw97-rjpm-g922",
+  "modified": "2026-03-19T06:30:27Z",
+  "published": "2026-03-19T06:30:27Z",
+  "aliases": [
+    "CVE-2026-27540"
+  ],
+  "details": "Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through 2.0.3.1.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27540"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/wordpress/plugin/woocommerce-wholesale-lead-capture/vulnerability/wordpress-woocommerce-wholesale-lead-capture-plugin-1-17-8-arbitrary-file-upload-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-434"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T06:16:25Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-v3h3-r67m-6xv9/GHSA-v3h3-r67m-6xv9.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v3h3-r67m-6xv9",
+  "modified": "2026-03-19T06:30:27Z",
+  "published": "2026-03-19T06:30:27Z",
+  "aliases": [
+    "CVE-2026-27096"
+  ],
+  "details": "Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27096"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/wordpress/theme/colorfolio/vulnerability/wordpress-colorfolio-freelance-designer-wordpress-theme-theme-1-3-deserialization-of-untrusted-data-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T06:16:25Z"
+  }
+}