CVE-2026-22464
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wphocus | my_auctions_allegro | to 3.6.33 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to include and display local files, potentially exposing sensitive information such as database credentials. This exposure could lead to a complete database takeover, which may result in unauthorized access to personal or protected data. Such a breach could negatively impact compliance with data protection regulations like GDPR and HIPAA by compromising the confidentiality and integrity of sensitive information. [1]
Can you explain this vulnerability to me?
CVE-2026-22464 is a Local File Inclusion (LFI) vulnerability in the WordPress plugin 'My auctions allegro' up to version 3.6.33. It allows an attacker with Contributor or Developer privileges to include and display local files from the target website. This can expose sensitive information such as database credentials and potentially lead to a complete database takeover depending on the website's configuration. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive information stored on the server, such as database credentials. If exploited, it could lead to a complete database takeover, compromising the integrity and confidentiality of your data and potentially affecting the entire website's security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this Local File Inclusion (LFI) vulnerability involves monitoring for suspicious requests that attempt to include local files via the plugin. Since the vulnerability allows attackers with Contributor or Developer privileges to include local files, you can look for unusual URL parameters or POST data that reference local file paths. Specific commands are not provided in the available resources. However, general detection methods include reviewing web server logs for suspicious include/require statements or unexpected file access patterns related to the 'My auctions allegro' plugin. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting Contributor or Developer privileges to trusted users only, as exploitation requires such access. Since no official fix or patched version is currently available, monitoring and limiting user permissions is critical. Additionally, consider disabling or removing the 'My auctions allegro' plugin if it is not essential, and monitor your website for suspicious activity related to file inclusion attempts. [1]