Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.32.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing reflected cross‑site scripting (XSS). An attacker can supply malicious script that the plugin reflects back to the victim’s browser; this flaw is classified as CWE‑79.

Affected Systems

The issue affects the WordPress plugin My auctions allegro, Free Edition, developed by Wphocus. All releases from the initial version through 3.6.32 are vulnerable, so any WordPress site running a vulnerable instance of this plugin is at risk.

Risk and Exploitability

The CVSS score of 7.1 places the flaw in the high severity range, and the EPSS score of less than 1 % indicates a very low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. While the CVE description does not specify an exploitation method, the typical attack vector for reflected XSS is a crafted request that injects payload into an unfiltered plugin output; the impact is confined to the user’s browser session, and additional damage scope is not detailed in the CVE data.

Generated by OpenCVE AI on April 28, 2026 at 10:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the My auctions allegro plugin to a version newer than 3.6.32, which resolves the reflected XSS path.
  • If updating immediately is not possible, enforce output encoding on any user‑supplied data that the plugin reflects by using WordPress functions such as esc_html() or esc_attr().
  • Consider deploying a web application firewall rule that detects and blocks common XSS payloads or monitors for reflected scripts.

Generated by OpenCVE AI on April 28, 2026 at 10:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wphocus
Wphocus my Auctions Allegro
Vendors & Products Wordpress
Wordpress wordpress
Wphocus
Wphocus my Auctions Allegro

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.32.
Title WordPress My auctions allegro plugin <= 3.6.32 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Wphocus My Auctions Allegro
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:27:33.399Z

Reserved: 2025-12-15T10:00:06.384Z

Link: CVE-2025-67943

cve-icon Vulnrichment

Updated: 2026-01-28T16:27:38.209Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:03.920

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:00:06Z

Weaknesses