{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67943", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:06.384Z", "datePublished": "2026-01-22T16:51:53.901Z", "dateUpdated": "2026-04-28T19:27:33.399Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "my-auctions-allegro-free-edition", "product": "My auctions allegro", "vendor": "wphocus", "versions": [{"changes": [{"at": "3.6.33", "status": "unaffected"}], "lessThanOrEqual": "3.6.32", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:19.679Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.<p>This issue affects My auctions allegro: from n/a through <= 3.6.32.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.32."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.424Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability-2?_s_id=cve"}], "title": "WordPress My auctions allegro plugin <= 3.6.32 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T16:28:05.641256Z", "id": "CVE-2025-67943", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:27:33.399Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67943", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T16:28:05.641256Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T16:27:38.209Z"}}], "cna": {"title": "WordPress My auctions allegro plugin <= 3.6.32 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "wphocus", "product": "My auctions allegro", "versions": [{"status": "affected", "changes": [{"at": "3.6.33", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.6.32"}], "packageName": "my-auctions-allegro-free-edition", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:19.679Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability-2?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.32.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.<p>This issue affects My auctions allegro: from n/a through <= 3.6.32.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:11:32.286Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67943", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:11:32.286Z", "dateReserved": "2025-12-15T10:00:06.384Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:51:53.901Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.32."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en wphocus My auctions allegro my-auctions-allegro-free-edition permite XSS Reflejado. Este problema afecta a My auctions allegro: desde n/a hasta &lt;= 3.6.32."}], "id": "CVE-2025-67943", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:03.920", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:00:06.284017+00:00", "value": {"mitigation_remediation": ["Upgrade the My auctions allegro plugin to a version newer than 3.6.32, which resolves the reflected XSS path.", "If updating immediately is not possible, enforce output encoding on any user\u2011supplied data that the plugin reflects by using WordPress functions such as esc_html() or esc_attr().", "Consider deploying a web application firewall rule that detects and blocks common XSS payloads or monitors for reflected scripts."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The issue affects the WordPress plugin My auctions allegro, Free Edition, developed by Wphocus. All releases from the initial version through 3.6.32 are vulnerable, so any WordPress site running a vulnerable instance of this plugin is at risk.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation, allowing reflected cross\u2011site scripting (XSS). An attacker can supply malicious script that the plugin reflects back to the victim\u2019s browser; this flaw is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 7.1 places the flaw in the high severity range, and the EPSS score of less than 1\u202f% indicates a very low probability of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. While the CVE description does not specify an exploitation method, the typical attack vector for reflected XSS is a crafted request that injects payload into an unfiltered plugin output; the impact is confined to the user\u2019s browser session, and additional damage scope is not detailed in the CVE data."}}}}, "created": "2026-01-23T16:30:54.552593+00:00", "updated": "2026-04-28T10:00:06.514806+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wphocus", "wphocus$PRODUCT$my_auctions_allegro"]}