more updates 2024-11-11

Signed-off-by: Weston Steimel <[email protected]>

data/anchore/2018/CVE-2018-5158.json

@@ -76,6 +76,25 @@
             "versionType": "npm"
           }
         ]
+      },
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:kevinbazira:algori_pdf_viwer:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "algori-pdf-viwer",
+        "packageType": "wordpress-plugin",
+        "product": "Algori PDF Viewer",
+        "repo": "https://plugins.svn.wordpress.org/algori-pdf-viewer",
+        "vendor": "Kevin Bazira",
+        "versions": [
+          {
+            "lessThan": "1.0.8",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
       }
     ],
     "providerMetadata": {
@@ -86,11 +105,14 @@
       {
         "url": "https://github.com/advisories/GHSA-7jg2-jgv3-fmr4"
       },
+      {
+        "url": "https://github.com/mozilla/pdf.js/commit/2dc4af525d1612c98afcd1e6bee57d4788f78f97"
+      },
       {
         "url": "https://github.com/mozilla/pdf.js/pull/9659"
       },
       {
-        "url": "https://github.com/mozilla/pdf.js/commit/2dc4af525d1612c98afcd1e6bee57d4788f78f97"
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd66329-098e-4adf-b66f-d82a47720629?source=cve"
       }
     ]
   }

data/anchore/2020/CVE-2020-36834.json

@@ -0,0 +1,36 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2020-36834",
+    "description": "The Discount Rules for WooCommerce plugin for WordPress is vulnerable to missing authorization via several AJAX actions in versions up to, and including, 2.0.2 due to missing capability checks on various functions. This makes it possible for subscriber-level attackers to execute various actions and perform a wide variety of actions such as modifying rules and saving configurations.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/articles/multiple-vulnerabilities-in-discount-rules-for-woocommerce-plugin/",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/33cf27ba-a01b-4e34-9584-b1d3fc87af34?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:a:flycart:discount_rules_for_woocommerce:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "woo-discount-rules",
+        "product": "Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons",
+        "vendor": "flycart",
+        "versions": [
+          {
+            "lessThan": "2.1.0",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2023/CVE-2023-32297.json

@@ -0,0 +1,46 @@
+{
+  "additionalMetadata": {
+    "cna": "patchstack",
+    "cveId": "CVE-2023-32297",
+    "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LWS LWS Affiliation allows PHP Local File Inclusion.This issue affects LWS Affiliation: from n/a through 2.2.6.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://patchstack.com/database/vulnerability/lws-affiliation/wordpress-lws-affiliation-plugin-2-2-6-local-file-inclusion-vulnerability?_s_id=cve"
+    ],
+    "solutions": [
+      "Update to 2.3 or a higher version."
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:lws:affiliation:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "lws-affiliation",
+        "packageType": "wordpress-plugin",
+        "product": "LWS Affiliation",
+        "repo": "https://plugins.svn.wordpress.org/lws-affiliation",
+        "vendor": "LWS",
+        "versions": [
+          {
+            "lessThan": "2.3",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    },
+    "references": [
+      {
+        "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7b1871d-9d26-4bdc-bd20-0535143902d4?source=cve"
+      }
+    ]
+  }
+}

data/anchore/2024/CVE-2024-0766.json

@@ -0,0 +1,38 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-0766",
+    "description": "The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the templates_ajax_request function in all versions up to, and including, 1.4.4. This makes it possible for subscribers and higher to create templates.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/trunk/includes/admin/include/template-library.php",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/996c7433-dd82-4216-86b9-005f43c06c3a?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:envothemes:envo\\'s_elementor_templates_\\&_widgets_for_woocommerce:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "envo-elementor-for-woocommerce",
+        "packageType": "wordpress-plugin",
+        "product": "Envo's Elementor Templates & Widgets for WooCommerce",
+        "vendor": "envothemes",
+        "versions": [
+          {
+            "lessThan": "1.4.5",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-0767.json

@@ -0,0 +1,38 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-0767",
+    "description": "The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajax_plugin_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/trunk/includes/admin/include/template-library.php#L332",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/cca71257-05dc-43d5-8de6-faf0a2feab2e?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:envothemes:envo\\'s_elementor_templates_\\&_widgets_for_woocommerce:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "envo-elementor-for-woocommerce",
+        "packageType": "wordpress-plugin",
+        "product": "Envo's Elementor Templates & Widgets for WooCommerce",
+        "vendor": "envothemes",
+        "versions": [
+          {
+            "lessThan": "1.4.5",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-0768.json

@@ -0,0 +1,38 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-0768",
+    "description": "The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4.4. This is due to missing or incorrect nonce validation on the ajax_theme_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed themes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/trunk/includes/admin/include/template-library.php#L367",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/6504ae5c-a36d-495e-aa93-40a3753857c6?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:envothemes:envo\\'s_elementor_templates_\\&_widgets_for_woocommerce:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "envo-elementor-for-woocommerce",
+        "packageType": "wordpress-plugin",
+        "product": "Envo's Elementor Templates & Widgets for WooCommerce",
+        "vendor": "envothemes",
+        "versions": [
+          {
+            "lessThan": "1.4.5",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-10187.json

@@ -0,0 +1,40 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-10187",
+    "description": "The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_link shortcode in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/changeset/3183178/",
+      "https://wordpress.org/plugins/mycred/#developers",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/23a081d4-443d-4b3b-8c89-9eb0e23c961e?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:mycred:mycred:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "mycred",
+        "packageType": "wordpress-plugin",
+        "product": "myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification",
+        "repo": "https://plugins.svn.wordpress.org/mycred",
+        "vendor": "wpexpertsio",
+        "versions": [
+          {
+            "lessThan": "2.7.5",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-10261.json

@@ -0,0 +1,38 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-10261",
+    "description": "The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/changeset/3182968/paid-member-subscriptions",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/eaf19371-7b06-45c6-bf16-6ef7dfffb175?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:cozmoslabs:membership_\\&_content_restriction_-_paid_member_subscriptions:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "paid-member-subscriptions",
+        "packageType": "wordpress-plugin",
+        "product": "Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction",
+        "vendor": "madalinungureanu",
+        "versions": [
+          {
+            "lessThan": "2.13.1",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2024/CVE-2024-10265.json

@@ -0,0 +1,41 @@
+{
+  "additionalMetadata": {
+    "cna": "wordfence",
+    "cveId": "CVE-2024-10265",
+    "description": "The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.15.30. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://plugins.trac.wordpress.org/browser/form-maker/trunk/wd/includes/notices.php#L199",
+      "https://plugins.trac.wordpress.org/changeset/3183170/",
+      "https://wordpress.org/plugins/form-maker/#developers",
+      "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fb1a2c2-581d-47ed-a180-9f70fdf79066?source=cve"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:10web:form_maker:*:*:*:*:*:wordpress:*:*",
+          "cpe:2.3:a:web-dorado:form_maker:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "form-maker",
+        "packageType": "wordpress-plugin",
+        "product": "Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder",
+        "vendor": "10web",
+        "versions": [
+          {
+            "lessThan": "1.15.31",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}