Skip to main content

CVE-2025-68566

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-24 audit@patchstack.com
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM) 5.9 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
MEDIUM 5.4

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Stored XSS.This issue affects My auctions allegro: from n/a through <= 3.6.35.

AnalysisAI

Stored cross-site scripting (XSS) in WordPress plugin My auctions allegro (versions up to 3.6.35) allows authenticated users to inject malicious scripts that execute in other users' browsers when viewing auction content. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected WordPress installations, though with limited scope within the plugin context. No public exploit code or active exploitation has been identified; real-world risk is moderate given the requirement for authenticated access and user interaction.

Technical ContextAI

This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability in the My auctions allegro WordPress plugin, a third-party plugin for managing Allegro marketplace auctions within WordPress. The plugin fails to properly sanitize or escape user input when rendering auction-related content on web pages, allowing authenticated users (PR:L in CVSS vector) to inject arbitrary HTML and JavaScript. The vulnerability manifests as stored XSS, meaning malicious payloads persist in the WordPress database and execute whenever other users (including administrators or other authenticated users) view the affected content, typically through the plugin's auction display functionality.

Affected ProductsAI

The WordPress plugin My auctions allegro (free edition, published as my-auctions-allegro-free-edition) in versions from the earliest tracked version through and including 3.6.35 is affected. The plugin is available on the WordPress.org plugin repository and is used to manage Allegro marketplace auctions within WordPress sites. Organizations running My auctions allegro versions 3.6.35 or earlier should apply the available patch.

RemediationAI

Update the My auctions allegro plugin to a patched version higher than 3.6.35. Access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate My auctions allegro, and click Update if a newer version is available. Alternatively, use the WordPress command-line interface (wp plugin update my-auctions-allegro-free-edition) if available. Immediately after patching, review and audit any auction listings or content created by non-administrative users to identify potential malicious scripts. If patching is not immediately possible, restrict plugin access to trusted administrative users only via WordPress user role management, limiting PR:L (low-privilege) access until the patch can be deployed. Reference the vulnerability details at https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability for additional context and confirmation of the patched version.

Share

CVE-2025-68566 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy