The My auctions allegro plugin contains an improper neutralization of input that leads to a reflected cross‑site scripting (XSS) vulnerability (CWE‑79). Unsanitized user input is echoed back in a page, allowing an attacker to inject JavaScript. While the description does not specify the exact downstream effects, it is inferred that any code executed in a victim’s browser could be used to compromise session data, alter page content, or redirect users. The potential impact therefore includes confidentiality and integrity risks for users who interact with the affected pages.

The vulnerability affects the WordPress My auctions allegro plugin from the wphocus vendor. All releases from the earliest available version through 3.6.18 are vulnerable; only versions newer than 3.6.18 are known to be safe.

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1 % implies that, at the time of this analysis, widespread exploitation is unlikely. The plugin is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the XSS can be triggered by an attacker who can supply a crafted URL or content that is rendered on the site’s pages, potentially affecting any visitor or authenticated user who loads the affected content.