CVE-2025-12851
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | my_auctions_allegro | 3.6.32 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) issue in the My auctions allegro plugin for WordPress, affecting all versions up to and including 3.6.32. It occurs via the 'controller' parameter, allowing unauthenticated attackers to include and execute arbitrary files on the server. This means attackers can run any PHP code contained in those files, potentially bypassing access controls and compromising the server.
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute arbitrary PHP code on the server without authentication. This can lead to bypassing access controls, obtaining sensitive data, and full code execution on the server. Attackers might also upload and include files disguised as safe types like images to exploit this vulnerability, resulting in severe security breaches.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the My auctions allegro WordPress plugin to version 3.6.33 or later, which includes security fixes such as improved input sanitization, safer SQL query preparation, and validation to prevent directory traversal and arbitrary class loading. These changes address the Local File Inclusion vulnerability by strengthening input validation and preventing execution of arbitrary files. [2]