Skip to main content

CVE-2025-68567

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-24 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Severity Changed
Apr 23, 2026 - 15:43 NVD
HIGH MEDIUM
CVSS changed
Apr 23, 2026 - 15:43 NVD
8.8 (HIGH) 5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
HIGH 8.8

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Cross Site Request Forgery.This issue affects My auctions allegro: from n/a through <= 3.6.33.

AnalysisAI

Cross-Site Request Forgery in WordPress plugin My Auctions Allegro (versions ≤3.6.33) allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through social engineering. CVSS 8.8 severity stems from potential high confidentiality, integrity, and availability impact if victims are tricked into clicking malicious links while authenticated. EPSS score of 0.02% (6th percentile) indicates very low probability of exploitation in the wild. No active exploitation confirmed (not in CISA KEV), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring user interaction.

Technical ContextAI

This vulnerability affects the My Auctions Allegro WordPress plugin, a tool for managing Allegro marketplace listings within WordPress. The flaw is classified as CWE-352 (Cross-Site Request Forgery), indicating the plugin lacks proper anti-CSRF tokens or validation mechanisms on state-changing operations. CSRF attacks exploit the trust a web application has in an authenticated user's browser by submitting forged requests without the user's knowledge. Affected versions span from earliest releases through version 3.6.33. The plugin's functionality likely involves managing auction listings, inventory, or financial transactions with the Allegro platform, which could explain the high impact ratings if CSRF tokens are missing on critical administrative functions.

Affected ProductsAI

The vulnerability impacts the My Auctions Allegro WordPress plugin (my-auctions-allegro-free-edition) in all versions from initial release through version 3.6.33 inclusive. This plugin integrates Allegro marketplace auction management capabilities into WordPress installations. The affected component appears to be the free edition of the plugin distributed through the WordPress plugin repository. Organizations running WordPress sites with this plugin installed in versions 3.6.33 or earlier should consider themselves affected. The vulnerability was reported by Patchstack's audit team, indicating discovery through third-party security research rather than responsible disclosure from the vendor community.

RemediationAI

Site administrators should upgrade the My Auctions Allegro plugin to a version newer than 3.6.33 if a patched release becomes available. Check the WordPress plugin repository or vendor communications for security updates addressing CVE-2025-68567. Until a confirmed patch is released, implement compensating controls including restricting plugin administrative access to trusted users only, educating administrators about CSRF risks and avoiding clicking untrusted links while logged into WordPress, and considering temporary plugin deactivation if auction management functionality is not business-critical. Monitor the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-request-forgery-csrf-vulnerability for vendor response and patch availability updates. Review WordPress access logs for suspicious administrative actions that may indicate exploitation attempts.

Share

CVE-2025-68567 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy