Platform
wordpress
Component
my-auctions-allegro-free-edition
Fixed in
3.6.34
CVE-2025-68567 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the My auctions allegro WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized modifications or deletions of auction listings. The vulnerability impacts versions from 0.0.0 up to and including 3.6.33, and a patch is available in version 3.6.34.
A successful CSRF attack could allow an attacker to manipulate auction listings without the user's knowledge or consent. This could involve changing bid prices, marking items as sold, or even deleting listings entirely. The attacker would need to craft a malicious request and trick the user into visiting a page containing that request, typically through phishing or social engineering techniques. The blast radius is limited to the user's account and the actions they have permission to perform within the plugin. While not directly leading to system compromise, it can cause significant disruption and financial loss for users and auction participants.
CVE-2025-68567 was publicly disclosed on December 24, 2025. No public proof-of-concept (PoC) code is currently known. The EPSS score is pending evaluation. There are no indications of active exploitation campaigns targeting this vulnerability at this time. Refer to the vendor's advisory for further details.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the My auctions allegro plugin to version 3.6.34 or later. If an immediate upgrade is not possible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include adding CSRF tokens to all sensitive forms and actions within the plugin, or using a Web Application Firewall (WAF) to filter out malicious requests. Review user permissions and restrict access to sensitive functions where possible. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack on a test environment and verifying that the request is blocked or fails.
Update to version 3.6.34, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68567 is a Cross-Site Request Forgery (CSRF) vulnerability affecting My auctions allegro WordPress plugin versions 0.0.0–3.6.33, allowing attackers to perform unauthorized actions.
You are affected if you are using My auctions allegro plugin versions 0.0.0 through 3.6.33. Upgrade to 3.6.34 or later to mitigate the risk.
Upgrade the My auctions allegro plugin to version 3.6.34 or later. Consider temporary workarounds like CSRF tokens or a WAF if immediate upgrade is not possible.
There are currently no indications of active exploitation campaigns targeting CVE-2025-68567, but vigilance is still advised.
Refer to the vendor's advisory for the most up-to-date information and official recommendations regarding CVE-2025-68567.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.