Urgent: Patch Your My Auctions Allegro Plugin! Critical SQL Injection Vulnerability (CVE-2025-12850)

Overview

A critical SQL Injection vulnerability, identified as CVE-2025-12850, has been discovered in the My Auctions Allegro plugin for WordPress. This vulnerability affects all versions up to and including 3.6.32. Unauthenticated attackers can exploit this flaw to inject malicious SQL queries, potentially leading to sensitive data extraction from the WordPress database. Immediate action is required to update the plugin and mitigate the risk.

Technical Details

The vulnerability stems from insufficient escaping of the auction_id parameter and a lack of proper preparation in the existing SQL query within the My Auctions Allegro plugin. An attacker can manipulate the auction_id parameter to append additional SQL queries to the original query. This injected SQL code is then executed by the database server, enabling attackers to:

• Extract sensitive data, such as user credentials, customer information, and auction details.
• Modify or delete data within the database.
• Potentially gain full control of the WordPress site.

The vulnerability exists because the plugin does not adequately sanitize user-supplied input before incorporating it into database queries.

CVSS Analysis

• CVE ID: CVE-2025-12850
• Severity: HIGH
• CVSS Score: 7.5

A CVSS score of 7.5 indicates a high-severity vulnerability. This score reflects the fact that the vulnerability is remotely exploitable, requires no authentication, and can lead to significant data compromise and potential system takeover.

Possible Impact

Successful exploitation of this SQL Injection vulnerability can have severe consequences:

• Data Breach: Sensitive information stored in the database, including user credentials and customer data, could be exposed.
• Website Defacement: Attackers could modify or delete website content, leading to reputational damage.
• Account Takeover: Attackers could gain unauthorized access to user accounts, including administrator accounts.
• Malware Injection: Attackers could inject malicious code into the website, compromising visitors’ devices.

Mitigation or Patch Steps

The recommended mitigation is to immediately update the My Auctions Allegro plugin to the latest version. The vulnerability has been patched in versions released after 3.6.32. Here’s how to update:

1. Log in to your WordPress admin dashboard.
2. Navigate to Plugins > Installed Plugins.
3. Locate the “My Auctions Allegro” plugin.
4. If an update is available, click the “Update Now” link.
5. If the update is not available through the WordPress dashboard, you may need to download the latest version from the WordPress plugin repository and manually install it.

If you are unable to update the plugin immediately, consider temporarily deactivating the plugin until the update can be performed. Additionally, consider using a web application firewall (WAF) to help detect and block malicious requests that attempt to exploit this vulnerability.

References

• WordPress Plugin Repository Changeset: https://plugins.trac.wordpress.org/changeset/3402268/my-auctions-allegro-free-edition
• Wordfence Threat Intelligence: https://www.wordfence.com/threat-intel/vulnerabilities/id/dc4883b8-5783-49ff-ab3b-c568c9923227?source=cve