CVE-2025-67943
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-01-28

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.32.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-28
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67943
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wphocus my_auctions_allegro_free_edition to 3.6.32 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67943 is a medium priority Cross Site Scripting (XSS) vulnerability in the WordPress plugin "My auctions allegro" up to version 3.6.32. It allows an attacker to inject malicious scripts, such as redirects or advertisements, that execute when visitors access the compromised site. Exploitation requires a privileged user to interact with malicious content like clicking a link or submitting a form. The vulnerability falls under the OWASP Top 10 category A3: Injection and was fixed in version 3.6.33. [1]

Impact Analysis

This vulnerability can lead to attackers executing malicious scripts on your website, potentially redirecting users, displaying unwanted advertisements, or stealing sensitive information. It requires a privileged user to interact with malicious content, which can compromise the integrity and security of your site and its visitors. [1]

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious input or script injection attempts targeting the My auctions allegro plugin up to version 3.6.32. Since it is a reflected XSS vulnerability, you can look for unusual URL parameters or payloads in HTTP requests that include script tags or suspicious HTML. Using web application security scanners that detect XSS vulnerabilities can help. Specific commands depend on your environment, but for example, you can use curl or wget to test for reflected script injection by sending crafted requests and observing responses. Example command: curl -v 'http://your-site.com/path?param=<script>alert(1)</script>' and check if the script is reflected in the response. Additionally, reviewing web server logs for suspicious query strings or payloads can help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to update the My auctions allegro plugin to version 3.6.33 or later, where the vulnerability is fixed. Until the update can be applied, you can use the automatic mitigation rule provided by Patchstack to block attack attempts. Enabling auto-update options for the plugin can also help ensure timely patching. Additionally, educating privileged users to avoid clicking suspicious links or submitting untrusted forms can reduce exploitation risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart