CVE-2025-67943
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wphocus | my_auctions_allegro_free_edition | to 3.6.32 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67943 is a medium priority Cross Site Scripting (XSS) vulnerability in the WordPress plugin "My auctions allegro" up to version 3.6.32. It allows an attacker to inject malicious scripts, such as redirects or advertisements, that execute when visitors access the compromised site. Exploitation requires a privileged user to interact with malicious content like clicking a link or submitting a form. The vulnerability falls under the OWASP Top 10 category A3: Injection and was fixed in version 3.6.33. [1]
How can this vulnerability impact me? :
This vulnerability can lead to attackers executing malicious scripts on your website, potentially redirecting users, displaying unwanted advertisements, or stealing sensitive information. It requires a privileged user to interact with malicious content, which can compromise the integrity and security of your site and its visitors. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious input or script injection attempts targeting the My auctions allegro plugin up to version 3.6.32. Since it is a reflected XSS vulnerability, you can look for unusual URL parameters or payloads in HTTP requests that include script tags or suspicious HTML. Using web application security scanners that detect XSS vulnerabilities can help. Specific commands depend on your environment, but for example, you can use curl or wget to test for reflected script injection by sending crafted requests and observing responses. Example command: curl -v 'http://your-site.com/path?param=<script>alert(1)</script>' and check if the script is reflected in the response. Additionally, reviewing web server logs for suspicious query strings or payloads can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the My auctions allegro plugin to version 3.6.33 or later, where the vulnerability is fixed. Until the update can be applied, you can use the automatic mitigation rule provided by Patchstack to block attack attempts. Enabling auto-update options for the plugin can also help ensure timely patching. Additionally, educating privileged users to avoid clicking suspicious links or submitting untrusted forms can reduce exploitation risk. [1]