CVE-2025-68567
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Cross Site Request Forgery.This issue affects My auctions allegro: from n/a through <= 3.6.33.
AnalysisAI
Cross-Site Request Forgery in WordPress plugin My Auctions Allegro (versions ≤3.6.33) allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through social engineering. CVSS 8.8 severity stems from potential high confidentiality, integrity, and availability impact if victims are tricked into clicking malicious links while authenticated. EPSS score of 0.02% (6th percentile) indicates very low probability of exploitation in the wild. No active exploitation confirmed (not in CISA KEV), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring user interaction.
Technical ContextAI
This vulnerability affects the My Auctions Allegro WordPress plugin, a tool for managing Allegro marketplace listings within WordPress. The flaw is classified as CWE-352 (Cross-Site Request Forgery), indicating the plugin lacks proper anti-CSRF tokens or validation mechanisms on state-changing operations. CSRF attacks exploit the trust a web application has in an authenticated user's browser by submitting forged requests without the user's knowledge. Affected versions span from earliest releases through version 3.6.33. The plugin's functionality likely involves managing auction listings, inventory, or financial transactions with the Allegro platform, which could explain the high impact ratings if CSRF tokens are missing on critical administrative functions.
Affected ProductsAI
The vulnerability impacts the My Auctions Allegro WordPress plugin (my-auctions-allegro-free-edition) in all versions from initial release through version 3.6.33 inclusive. This plugin integrates Allegro marketplace auction management capabilities into WordPress installations. The affected component appears to be the free edition of the plugin distributed through the WordPress plugin repository. Organizations running WordPress sites with this plugin installed in versions 3.6.33 or earlier should consider themselves affected. The vulnerability was reported by Patchstack's audit team, indicating discovery through third-party security research rather than responsible disclosure from the vendor community.
RemediationAI
Site administrators should upgrade the My Auctions Allegro plugin to a version newer than 3.6.33 if a patched release becomes available. Check the WordPress plugin repository or vendor communications for security updates addressing CVE-2025-68567. Until a confirmed patch is released, implement compensating controls including restricting plugin administrative access to trusted users only, educating administrators about CSRF risks and avoiding clicking untrusted links while logged into WordPress, and considering temporary plugin deactivation if auction management functionality is not business-critical. Monitor the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-request-forgery-csrf-vulnerability for vendor response and patch availability updates. Review WordPress access logs for suspicious administrative actions that may indicate exploitation attempts.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today