Skip to main content

My Auctions Allegro EUVDEUVD-2026-15493

| CVE-2026-22491 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-4wp7-5593-xvx5
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15493
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.35.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WordPress plugin 'My auctions allegro' (free edition) through version 3.6.35, allowing attackers to inject malicious scripts into web pages viewed by victims. An unauthenticated attacker can craft a malicious URL containing JavaScript code that executes in the victim's browser when clicked, potentially stealing session cookies, redirecting users, or performing actions on behalf of the user. No CVSS score, EPSS score, or KEV status has been assigned, and patch availability status is unclear, though the vulnerability was identified and reported by Patchstack security researchers.

Technical ContextAI

The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input is not properly sanitized or encoded before being reflected back in HTML responses. The affected product is the WordPress plugin 'My auctions allegro' (CPE: cpe:2.3:a:wphocus:my_auctions_allegro:*:*:*:*:*:*:*:*) developed by wphocus, which integrates the Allegro marketplace with WordPress. The vulnerability manifests as a Reflected XSS flaw, meaning the malicious payload is passed via URL parameters and immediately reflected in the HTTP response without validation or HTML entity encoding, allowing script execution in the victim's browser context within the origin of the WordPress site.

RemediationAI

Immediately upgrade the 'My auctions allegro' plugin to a version later than 3.6.35 if a patched version has been released by wphocus; check the WordPress plugin repository or vendor advisory via Patchstack for the latest secure version. If no patched version is available, consider temporarily deactivating the plugin until a security update is released, or review alternative Allegro marketplace integration plugins. As an interim mitigation, implement a Web Application Firewall (WAF) rule to detect and block common XSS injection patterns in URL parameters, enforce Content Security Policy (CSP) headers to restrict inline script execution, and educate users not to click untrusted links to your WordPress site. Monitor the Patchstack vulnerability database and the wphocus vendor channels for patch announcements at https://patchstack.com/.

Share

EUVD-2026-15493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy