Platform
wordpress
Component
my-auctions-allegro-free-edition
Fixed in
3.6.36
CVE-2026-22491 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the My auctions allegro free edition WordPress plugin. This vulnerability allows attackers to inject malicious scripts into web pages, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects versions from 0.0.0 up to and including 3.6.35. A patch is available to address this security flaw.
The primary impact of CVE-2026-22491 is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be exploited to steal sensitive information like cookies, session tokens, and personal data entered into forms. An attacker could also redirect users to malicious websites, inject phishing prompts, or modify the appearance of the website to deceive users. The scope of impact depends on the plugin's functionality and the level of access granted to users within the My auctions allegro system. Successful exploitation could lead to significant data breaches and reputational damage.
CVE-2026-22491 was publicly disclosed on 2026-03-25. Currently, there are no reports of active exploitation in the wild. The availability of a public proof-of-concept (POC) is unknown at this time. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22491 is to upgrade the My auctions allegro free edition plugin to a version that includes the security patch. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing input validation and output encoding on user-supplied data within the plugin's code. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your WordPress installation for vulnerable plugins using security scanning tools.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22491 is a Reflected XSS vulnerability affecting My auctions allegro versions 0.0.0–3.6.35, allowing attackers to inject malicious scripts into web pages.
If you are using My auctions allegro free edition version 0.0.0 through 3.6.35, you are potentially affected by this vulnerability.
Upgrade the My auctions allegro free edition plugin to a patched version. If immediate upgrade is not possible, implement input validation and output encoding.
As of now, there are no confirmed reports of active exploitation in the wild, but it is crucial to apply the patch proactively.
Refer to the My auctions allegro project's official website or WordPress plugin repository for the latest security advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.