Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.35.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS allows malicious script execution in users’ browsers
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of user-supplied input during webpage rendering, which permits attackers to inject and execute arbitrary JavaScript code when a victim views a crafted page. This can lead to session hijacking, defacement, or data theft. The weakness is identified as CWE‑79.

Affected Systems

The flaw affects the My auctions allegro plugin for WordPress, published by wphocus, versions up to and including 3.6.35. Any site running the plugin in that version range is potentially vulnerable.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity. No EPSS data is available, and the vulnerability is not in the CISA KEV catalog. Attackers can exploit this remotely by supplying malicious input to a reflected parameter in the plugin’s input forms or URLs; no credentials or local access are required. Given the broad exposure to web traffic, the likelihood of exploitation is significant for unpatched sites.

Generated by OpenCVE AI on March 25, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the My auctions allegro plugin to the latest version available from the vendor.
  • If an update is not immediately possible, remove or disable the plugin to eliminate the attack surface.
  • Consider implementing a web application firewall or content security policy to block reflected XSS payloads on the site.

Generated by OpenCVE AI on March 25, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wphocus
Wphocus my Auctions Allegro
Vendors & Products Wordpress
Wordpress wordpress
Wphocus
Wphocus my Auctions Allegro

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.35.
Title WordPress My auctions allegro plugin <= 3.6.35 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Wphocus My Auctions Allegro
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:23:34.776Z

Reserved: 2026-01-07T13:44:23.295Z

Link: CVE-2026-22491

cve-icon Vulnrichment

Updated: 2026-03-25T20:18:18.887Z

cve-icon NVD

Status : Received

Published: 2026-03-25T17:16:31.087

Modified: 2026-03-25T21:16:29.060

Link: CVE-2026-22491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:16Z

Weaknesses