CVE-2025-68566

MEDIUM
2025-12-24 [email protected]
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
MEDIUM 5.4

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Stored XSS.This issue affects My auctions allegro: from n/a through <= 3.6.35.

Analysis

Stored cross-site scripting (XSS) in WordPress plugin My auctions allegro (versions up to 3.6.35) allows authenticated users to inject malicious scripts that execute in other users' browsers when viewing auction content. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected WordPress installations, though with limited scope within the plugin context. No public exploit code or active exploitation has been identified; real-world risk is moderate given the requirement for authenticated access and user interaction.

Technical Context

This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability in the My auctions allegro WordPress plugin, a third-party plugin for managing Allegro marketplace auctions within WordPress. The plugin fails to properly sanitize or escape user input when rendering auction-related content on web pages, allowing authenticated users (PR:L in CVSS vector) to inject arbitrary HTML and JavaScript. The vulnerability manifests as stored XSS, meaning malicious payloads persist in the WordPress database and execute whenever other users (including administrators or other authenticated users) view the affected content, typically through the plugin's auction display functionality.

Affected Products

The WordPress plugin My auctions allegro (free edition, published as my-auctions-allegro-free-edition) in versions from the earliest tracked version through and including 3.6.35 is affected. The plugin is available on the WordPress.org plugin repository and is used to manage Allegro marketplace auctions within WordPress sites. Organizations running My auctions allegro versions 3.6.35 or earlier should apply the available patch.

Remediation

Update the My auctions allegro plugin to a patched version higher than 3.6.35. Access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate My auctions allegro, and click Update if a newer version is available. Alternatively, use the WordPress command-line interface (wp plugin update my-auctions-allegro-free-edition) if available. Immediately after patching, review and audit any auction listings or content created by non-administrative users to identify potential malicious scripts. If patching is not immediately possible, restrict plugin access to trusted administrative users only via WordPress user role management, limiting PR:L (low-privilege) access until the patch can be deployed. Reference the vulnerability details at https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability for additional context and confirmation of the patched version.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Share

CVE-2025-68566 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy