CVE-2025-68567
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Cross Site Request Forgery.This issue affects My auctions allegro: from n/a through <= 3.6.33.
Analysis
Cross-Site Request Forgery in WordPress plugin My Auctions Allegro (versions ≤3.6.33) allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through social engineering. CVSS 8.8 severity stems from potential high confidentiality, integrity, and availability impact if victims are tricked into clicking malicious links while authenticated. EPSS score of 0.02% (6th percentile) indicates very low probability of exploitation in the wild. No active exploitation confirmed (not in CISA KEV), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring user interaction.
Technical Context
This vulnerability affects the My Auctions Allegro WordPress plugin, a tool for managing Allegro marketplace listings within WordPress. The flaw is classified as CWE-352 (Cross-Site Request Forgery), indicating the plugin lacks proper anti-CSRF tokens or validation mechanisms on state-changing operations. CSRF attacks exploit the trust a web application has in an authenticated user's browser by submitting forged requests without the user's knowledge. Affected versions span from earliest releases through version 3.6.33. The plugin's functionality likely involves managing auction listings, inventory, or financial transactions with the Allegro platform, which could explain the high impact ratings if CSRF tokens are missing on critical administrative functions.
Affected Products
The vulnerability impacts the My Auctions Allegro WordPress plugin (my-auctions-allegro-free-edition) in all versions from initial release through version 3.6.33 inclusive. This plugin integrates Allegro marketplace auction management capabilities into WordPress installations. The affected component appears to be the free edition of the plugin distributed through the WordPress plugin repository. Organizations running WordPress sites with this plugin installed in versions 3.6.33 or earlier should consider themselves affected. The vulnerability was reported by Patchstack's audit team, indicating discovery through third-party security research rather than responsible disclosure from the vendor community.
Remediation
Site administrators should upgrade the My Auctions Allegro plugin to a version newer than 3.6.33 if a patched release becomes available. Check the WordPress plugin repository or vendor communications for security updates addressing CVE-2025-68567. Until a confirmed patch is released, implement compensating controls including restricting plugin administrative access to trusted users only, educating administrators about CSRF risks and avoiding clicking untrusted links while logged into WordPress, and considering temporary plugin deactivation if auction management functionality is not business-critical. Monitor the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-request-forgery-csrf-vulnerability for vendor response and patch availability updates. Review WordPress access logs for suspicious administrative actions that may indicate exploitation attempts.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today