Search criteria
9 vulnerabilities by wphocus
CVE-2025-68567 (GCVE-0-2025-68567)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:10 – Updated: 2025-12-24 19:30
VLAI?
Title
WordPress My auctions allegro plugin <= 3.6.32 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Cross Site Request Forgery.This issue affects My auctions allegro: from n/a through <= 3.6.32.
Severity ?
8.8 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wphocus | My auctions allegro |
Affected:
n/a , ≤ <= 3.6.32
(custom)
|
Credits
Muhammad Nur Ibnu Hubab | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-68567",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T18:53:01.025661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T19:30:46.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "my-auctions-allegro-free-edition",
"product": "My auctions allegro",
"vendor": "wphocus",
"versions": [
{
"lessThanOrEqual": "\u003c= 3.6.32",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab | Patchstack Bug Bounty Program"
}
],
"datePublic": "2025-12-24T14:09:10.200Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Cross Site Request Forgery.\u003cp\u003eThis issue affects My auctions allegro: from n/a through \u003c= 3.6.32.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Cross Site Request Forgery.This issue affects My auctions allegro: from n/a through \u003c= 3.6.32."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:10:36.094Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress My auctions allegro plugin \u003c= 3.6.32 - Cross Site Request Forgery (CSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-68567",
"datePublished": "2025-12-24T13:10:36.094Z",
"dateReserved": "2025-12-19T10:17:28.557Z",
"dateUpdated": "2025-12-24T19:30:46.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68566 (GCVE-0-2025-68566)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:10 – Updated: 2025-12-24 19:30
VLAI?
Title
WordPress My auctions allegro plugin <= 3.6.32 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Stored XSS.This issue affects My auctions allegro: from n/a through <= 3.6.32.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wphocus | My auctions allegro |
Affected:
n/a , ≤ <= 3.6.32
(custom)
|
Credits
Muhammad Nur Ibnu Hubab | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-68566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T18:53:13.178977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T19:30:51.874Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "my-auctions-allegro-free-edition",
"product": "My auctions allegro",
"vendor": "wphocus",
"versions": [
{
"lessThanOrEqual": "\u003c= 3.6.32",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab | Patchstack Bug Bounty Program"
}
],
"datePublic": "2025-12-24T14:09:10.080Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Stored XSS.\u003cp\u003eThis issue affects My auctions allegro: from n/a through \u003c= 3.6.32.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Stored XSS.This issue affects My auctions allegro: from n/a through \u003c= 3.6.32."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:10:35.820Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress My auctions allegro plugin \u003c= 3.6.32 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-68566",
"datePublished": "2025-12-24T13:10:35.820Z",
"dateReserved": "2025-12-19T10:17:28.557Z",
"dateUpdated": "2025-12-24T19:30:51.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12851 (GCVE-0-2025-12851)
Vulnerability from cvelistv5 – Published: 2025-12-05 09:27 – Updated: 2025-12-05 12:53
VLAI?
Title
My auctions allegro <= 3.6.32 - Unauthenticated Local File Inclusion via controller
Summary
The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.32 via the 'controller' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Severity ?
8.1 (High)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wphocus | My auctions allegro |
Affected:
* , ≤ 3.6.32
(semver)
|
Credits
M Indra Purnama
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T12:52:56.259009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T12:53:13.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "My auctions allegro",
"vendor": "wphocus",
"versions": [
{
"lessThanOrEqual": "3.6.32",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.32 via the \u0027controller\u0027 parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T09:27:00.893Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/202a8493-6df0-4a5e-b6bf-099219830e01?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3402268/my-auctions-allegro-free-edition"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-07T00:00:59.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-04T20:41:27.000+00:00",
"value": "Disclosed"
}
],
"title": "My auctions allegro \u003c= 3.6.32 - Unauthenticated Local File Inclusion via controller"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12851",
"datePublished": "2025-12-05T09:27:00.893Z",
"dateReserved": "2025-11-06T23:45:33.325Z",
"dateUpdated": "2025-12-05T12:53:13.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12850 (GCVE-0-2025-12850)
Vulnerability from cvelistv5 – Published: 2025-12-05 06:43 – Updated: 2025-12-05 13:10
VLAI?
Title
My auctions allegro <= 3.6.32 - Unauthenticated SQL Injection via auction_id
Summary
The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the ‘auction_id’ parameter in all versions up to, and including, 3.6.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wphocus | My auctions allegro |
Affected:
* , ≤ 3.6.32
(semver)
|
Credits
M Indra Purnama
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T13:09:20.832905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T13:10:09.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "My auctions allegro",
"vendor": "wphocus",
"versions": [
{
"lessThanOrEqual": "3.6.32",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the \u2018auction_id\u2019 parameter in all versions up to, and including, 3.6.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T06:43:51.373Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dc4883b8-5783-49ff-ab3b-c568c9923227?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3402268/my-auctions-allegro-free-edition"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-06T23:48:12.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-04T18:36:48.000+00:00",
"value": "Disclosed"
}
],
"title": "My auctions allegro \u003c= 3.6.32 - Unauthenticated SQL Injection via auction_id"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12850",
"datePublished": "2025-12-05T06:43:51.373Z",
"dateReserved": "2025-11-06T23:27:27.375Z",
"dateUpdated": "2025-12-05T13:10:09.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10048 (GCVE-0-2025-10048)
Vulnerability from cvelistv5 – Published: 2025-10-11 07:25 – Updated: 2025-10-14 14:12
VLAI?
Title
My Auctions Allegro Plugin <= 3.6.31 - Authenticated (Admin+) SQL Injection
Summary
The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 3.6.31 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wphocus | My auctions allegro |
Affected:
* , ≤ 3.6.31
(semver)
|
Credits
tmrswrr
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T13:31:11.612006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T14:12:07.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "My auctions allegro",
"vendor": "wphocus",
"versions": [
{
"lessThanOrEqual": "3.6.31",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "tmrswrr"
}
],
"descriptions": [
{
"lang": "en",
"value": "The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the \u0027order\u0027 parameter in all versions up to, and including, 3.6.31 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-11T07:25:57.688Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8d81c8d5-3862-4401-9226-9c7380f364a7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3375019/my-auctions-allegro-free-edition"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-08T16:46:05.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-10T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "My Auctions Allegro Plugin \u003c= 3.6.31 - Authenticated (Admin+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10048",
"datePublished": "2025-10-11T07:25:57.688Z",
"dateReserved": "2025-09-05T18:45:35.058Z",
"dateUpdated": "2025-10-14T14:12:07.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27009 (GCVE-0-2025-27009)
Vulnerability from cvelistv5 – Published: 2025-04-14 11:05 – Updated: 2025-04-14 11:52 X_Open Source
VLAI?
Title
WordPress My auctions allegro plugin <= 3.6.20 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro allows Stored XSS.This issue affects My auctions allegro: from n/a through 3.6.20.
Severity ?
7.1 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wphocus | My auctions allegro |
Affected:
n/a , ≤ 3.6.20
(custom)
|
Credits
Nabil Irawan (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T11:50:59.269919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T11:52:37.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "my-auctions-allegro-free-edition",
"product": "My auctions allegro",
"vendor": "wphocus",
"versions": [
{
"lessThanOrEqual": "3.6.20",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Nabil Irawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro allows Stored XSS.\u003cp\u003eThis issue affects My auctions allegro: from n/a through 3.6.20.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro allows Stored XSS.This issue affects My auctions allegro: from n/a through 3.6.20."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T11:05:34.699Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-20-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress My auctions allegro plugin \u003c= 3.6.20 - Cross Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-27009",
"datePublished": "2025-04-14T11:05:34.699Z",
"dateReserved": "2025-02-17T11:52:15.089Z",
"dateUpdated": "2025-04-14T11:52:37.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31542 (GCVE-0-2025-31542)
Vulnerability from cvelistv5 – Published: 2025-03-31 12:55 – Updated: 2025-03-31 14:24
VLAI?
Title
WordPress My auctions allegro plugin <= 3.6.20 - SQL Injection vulnerability
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wphocus My auctions allegro allows Blind SQL Injection. This issue affects My auctions allegro: from n/a through 3.6.20.
Severity ?
8.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wphocus | My auctions allegro |
Affected:
n/a , ≤ 3.6.20
(custom)
|
Credits
Trương Hữu Phúc (truonghuuphuc) (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31542",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T14:22:49.363593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T14:24:13.949Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "my-auctions-allegro-free-edition",
"product": "My auctions allegro",
"vendor": "wphocus",
"versions": [
{
"lessThanOrEqual": "3.6.20",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in wphocus My auctions allegro allows Blind SQL Injection.\u003c/p\u003e\u003cp\u003eThis issue affects My auctions allegro: from n/a through 3.6.20.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in wphocus My auctions allegro allows Blind SQL Injection. This issue affects My auctions allegro: from n/a through 3.6.20."
}
],
"impacts": [
{
"capecId": "CAPEC-7",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-7 Blind SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T12:55:12.286Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-20-sql-injection-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress My auctions allegro plugin \u003c= 3.6.20 - SQL Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-31542",
"datePublished": "2025-03-31T12:55:12.286Z",
"dateReserved": "2025-03-31T10:05:22.814Z",
"dateUpdated": "2025-03-31T14:24:13.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22733 (GCVE-0-2025-22733)
Vulnerability from cvelistv5 – Published: 2025-01-21 13:57 – Updated: 2025-02-12 20:31
VLAI?
Title
WordPress My auctions allegro Plugin <= 3.6.18 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPHocus My auctions allegro allows Reflected XSS. This issue affects My auctions allegro: from n/a through 3.6.18.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPHocus | My auctions allegro |
Affected:
n/a , ≤ 3.6.18
(custom)
|
Credits
João Pedro S Alcântara (Kinorth) (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T14:25:23.680482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:31:26.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "my-auctions-allegro-free-edition",
"product": "My auctions allegro",
"vendor": "WPHocus",
"versions": [
{
"changes": [
{
"at": "3.6.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.6.18",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPHocus My auctions allegro allows Reflected XSS.\u003c/p\u003e\u003cp\u003eThis issue affects My auctions allegro: from n/a through 3.6.18.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPHocus My auctions allegro allows Reflected XSS. This issue affects My auctions allegro: from n/a through 3.6.18."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T13:57:35.928Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress My auctions allegro wordpress plugin to the latest available version (at least 3.6.19)."
}
],
"value": "Update the WordPress My auctions allegro wordpress plugin to the latest available version (at least 3.6.19)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress My auctions allegro Plugin \u003c= 3.6.18 - Reflected Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-22733",
"datePublished": "2025-01-21T13:57:35.928Z",
"dateReserved": "2025-01-07T21:04:12.250Z",
"dateUpdated": "2025-02-12T20:31:26.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11707 (GCVE-0-2024-11707)
Vulnerability from cvelistv5 – Published: 2024-12-03 07:34 – Updated: 2024-12-03 11:23
VLAI?
Title
My auctions allegro <= 3.6.17 - Reflected Cross-Site Scripting
Summary
The My auctions allegro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 3.6.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wphocus | My auctions allegro |
Affected:
* , ≤ 3.6.17
(semver)
|
Credits
Dale Mavers
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T11:21:10.853709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T11:23:42.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "My auctions allegro",
"vendor": "wphocus",
"versions": [
{
"lessThanOrEqual": "3.6.17",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dale Mavers"
}
],
"descriptions": [
{
"lang": "en",
"value": "The My auctions allegro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027page\u0027 parameter in all versions up to, and including, 3.6.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T07:34:57.388Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57a78696-5892-4621-992f-5e4a7d8fa965?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3197924%40my-auctions-allegro-free-edition\u0026new=3197924%40my-auctions-allegro-free-edition\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3198824%40my-auctions-allegro-free-edition\u0026new=3198824%40my-auctions-allegro-free-edition\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-02T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "My auctions allegro \u003c= 3.6.17 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11707",
"datePublished": "2024-12-03T07:34:57.388Z",
"dateReserved": "2024-11-25T16:29:48.681Z",
"dateUpdated": "2024-12-03T11:23:42.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}