A Cross‑Site Request Forgery (CSRF) flaw in the My auctions allegro plugin enables an attacker to trigger an action on behalf of a privileged user, leading to the injection of malicious script that is stored on the site. The vulnerability allows the crafted request to bypass normal authentication checks and embed code that will execute whenever the affected content is viewed, compromising the integrity and confidentiality of the site’s content and potentially allowing data exfiltration or defacement. The core weakness is a failure to validate CSRF tokens and enforce proper input handling, as reflected by CWE‑352.

The issue affects the free edition of the My auctions allegro plugin distributed by wphocus. All pre‑3.6.34 releases—including 3.6.33—are susceptible. End users running this plugin on any WordPress site should verify the installed version and consider it compromised until addressed.

The reported CVSS score of 7.1 indicates a high‑severity vulnerability, while an EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly known active exploitation is confirmed. An attacker would need to entice a logged‑in user or exploit existing privileges to send the forged request, typically via a malicious link or embedded form. Once exploited, stored XSS can impact all users who view the compromised content.