Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.35.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WordPress plugin 'My auctions allegro' (free edition) through version 3.6.35, allowing attackers to inject malicious scripts into web pages viewed by victims. An unauthenticated attacker can craft a malicious URL containing JavaScript code that executes in the victim's browser when clicked, potentially stealing session cookies, redirecting users, or performing actions on behalf of the user. No CVSS score, EPSS score, or KEV status has been assigned, and patch availability status is unclear, though the vulnerability was identified and reported by Patchstack security researchers.
Technical ContextAI
The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input is not properly sanitized or encoded before being reflected back in HTML responses. The affected product is the WordPress plugin 'My auctions allegro' (CPE: cpe:2.3:a:wphocus:my_auctions_allegro:*:*:*:*:*:*:*:*) developed by wphocus, which integrates the Allegro marketplace with WordPress. The vulnerability manifests as a Reflected XSS flaw, meaning the malicious payload is passed via URL parameters and immediately reflected in the HTTP response without validation or HTML entity encoding, allowing script execution in the victim's browser context within the origin of the WordPress site.
RemediationAI
Immediately upgrade the 'My auctions allegro' plugin to a version later than 3.6.35 if a patched version has been released by wphocus; check the WordPress plugin repository or vendor advisory via Patchstack for the latest secure version. If no patched version is available, consider temporarily deactivating the plugin until a security update is released, or review alternative Allegro marketplace integration plugins. As an interim mitigation, implement a Web Application Firewall (WAF) rule to detect and block common XSS injection patterns in URL parameters, enforce Content Security Policy (CSP) headers to restrict inline script execution, and educate users not to click untrusted links to your WordPress site. Monitor the Patchstack vulnerability database and the wphocus vendor channels for patch announcements at https://patchstack.com/.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15493
GHSA-4wp7-5593-xvx5