Publish Advisories

GHSA-34f4-7p4v-274v
GHSA-53pp-j4fh-wvrr
GHSA-5c5v-f747-q7rq
GHSA-6mq9-qm49-w244
GHSA-77g9-fwj8-pcwg
GHSA-8425-76gw-qxj4
GHSA-8vw7-m4cj-2323
GHSA-9x54-6v7m-8wf2
GHSA-cwvx-vcjx-vqjc
GHSA-cxr2-7xvc-hh42
GHSA-g6wj-gw42-4345
GHSA-gch6-cfhh-c44p
GHSA-gmgx-8hxg-f53q
GHSA-gxvp-w433-832f
GHSA-h92c-7ccr-x4hr
GHSA-jh7f-pj8r-h37c
GHSA-p572-g32f-hp32
GHSA-q7cc-x725-hp7g
GHSA-q7wp-4j7p-g4vj
GHSA-qfwf-756h-2p4g
GHSA-qj9g-q4j9-47hp
GHSA-rg7x-c263-823c
GHSA-wxhm-86c2-x66c
GHSA-xf7v-j2cc-2crf

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-34f4-7p4v-274v/GHSA-34f4-7p4v-274v.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-34f4-7p4v-274v",
+  "modified": "2026-02-18T09:31:04Z",
+  "published": "2026-02-18T09:31:04Z",
+  "aliases": [
+    "CVE-2026-2281"
+  ],
+  "details": "The Private Comment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Label text' setting in all versions up to, and including, 0.0.4. This is due to insufficient input sanitization and output escaping on the plugin's label text option. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2281"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/private-comment/tags/0.0.3/private-comment.php#L128"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/private-comment/trunk/private-comment.php#L128"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3458294/private-comment/trunk/private-comment.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/94d75f18-67ab-4367-982b-73e256d5dbe2?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T07:16:10Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-53pp-j4fh-wvrr/GHSA-53pp-j4fh-wvrr.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-53pp-j4fh-wvrr",
+  "modified": "2026-02-18T09:31:04Z",
+  "published": "2026-02-18T09:31:04Z",
+  "aliases": [
+    "CVE-2026-1656"
+  ],
+  "details": "The Business Directory Plugin for WordPress is vulnerable to authorization bypass due to a missing authorization check in all versions up to, and including, 6.4.20. This makes it possible for unauthenticated attackers to modify arbitrary listings, including changing titles, content, and email addresses, by directly referencing the listing ID in crafted requests to the wpbdp_ajax AJAX action.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1656"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/business-directory-plugin/tags/6.4.20/includes/helpers/class-authenticated-listing-view.php#L20"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/helpers/class-authenticated-listing-view.php#L20"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3452627/business-directory-plugin/tags/6.4.21/includes/controllers/pages/class-submit-listing.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f894ce75-168c-4baa-8cae-d2e7f1a0a9ab?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T09:15:58Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-5c5v-f747-q7rq/GHSA-5c5v-f747-q7rq.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5c5v-f747-q7rq",
+  "modified": "2026-02-18T09:31:03Z",
+  "published": "2026-02-18T09:31:03Z",
+  "aliases": [
+    "CVE-2026-1666"
+  ],
+  "details": "The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1666"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User/Login.php#L137"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User/views/login-form.php#L142"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455081%40download-manager%2Ftrunk&old=3440008%40download-manager%2Ftrunk&sfp_email=&sfph_mail=#file25"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb84ba3-b403-4a9d-b1a7-92aa947310ac?source=cve"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wpdownloadmanager.com/doc/short-codes/wpdm_login_form-user-login-form-short-code"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T07:16:09Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-6mq9-qm49-w244/GHSA-6mq9-qm49-w244.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6mq9-qm49-w244",
+  "modified": "2026-02-18T09:31:04Z",
+  "published": "2026-02-18T09:31:04Z",
+  "aliases": [
+    "CVE-2026-2127"
+  ],
+  "details": "The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the `siteorigin_widget_preview_widget_action()` function which is registered via the `wp_ajax_so_widgets_preview` AJAX action. The function only verifies a nonce (`widgets_action`) but does not check user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes by invoking the `SiteOrigin_Widget_Editor_Widget` via the preview endpoint. The required nonce is exposed on the public frontend when the Post Carousel widget is present on a page, embedded in the `data-ajax-url` HTML attribute.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2127"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/base/inc/actions.php#L6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/base/inc/actions.php#L75"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/widgets/editor/editor.php#L120"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/widgets/post-carousel/post-carousel.php#L590"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3460939%40so-widgets-bundle%2Ftrunk&old=3434183%40so-widgets-bundle%2Ftrunk&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf92c64b-ca76-4af7-a1e4-585a60b03153?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T09:15:58Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-77g9-fwj8-pcwg/GHSA-77g9-fwj8-pcwg.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-77g9-fwj8-pcwg",
+  "modified": "2026-02-18T09:31:04Z",
+  "published": "2026-02-18T09:31:04Z",
+  "aliases": [
+    "CVE-2026-1937"
+  ],
+  "details": "The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1937"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Models/MigrationModel.php#L143"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/Models/MigrationModel.php#L143"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a17ded3-340d-494f-be7e-2550dab360bc?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T07:16:10Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-8425-76gw-qxj4/GHSA-8425-76gw-qxj4.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8425-76gw-qxj4",
+  "modified": "2026-02-18T09:31:03Z",
+  "published": "2026-02-18T09:31:03Z",
+  "aliases": [
+    "CVE-2026-1857"
+  ],
+  "details": "The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint's permission check only requires `edit_posts` capability (Contributor role) rather than `manage_options` (Administrator). This makes it possible for authenticated attackers, with Contributor-level access and above, to make server-side requests to arbitrary endpoints on the configured GetResponse API server, retrieving sensitive data such as contacts, campaigns, and mailing lists using the site's stored API credentials. The stored API key is also leaked in the request headers.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1857"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.5.32/includes/advanced-form/getresponse-rest-api.php#L57"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.5.32/includes/advanced-form/getresponse-rest-api.php#L77"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3454881%40kadence-blocks%2Ftrunk&old=3453204%40kadence-blocks%2Ftrunk&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ea8d38a-f5ce-40dd-a015-f56d60579e05?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T07:16:09Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-8vw7-m4cj-2323/GHSA-8vw7-m4cj-2323.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8vw7-m4cj-2323",
+  "modified": "2026-02-18T09:31:04Z",
+  "published": "2026-02-18T09:31:04Z",
+  "aliases": [
+    "CVE-2026-2642"
+  ],
+  "details": "A security vulnerability has been detected in ggreer the_silver_searcher up to 2.2.0. The impacted element is the function search_stream of the file src/search.c. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2642"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ggreer/the_silver_searcher/issues/1558"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ggreer/the_silver_searcher"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/oneafter/0119/blob/main/segv1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.346398"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.346398"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.752769"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-404"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T07:16:10Z"
+  }
+}