My Auctions Allegro WordPress Plugin Local File Inclusion Vulnerability
Vulnerability
A local file inclusion vulnerability has been identified in the My Auctions Allegro plugin for WordPress, affecting all versions through 3.6.32. The vulnerability arises from improper handling of the 'controller' parameter, allowing unauthenticated attackers to include and execute arbitrary files on the server. This exploitation could lead to the execution of PHP code contained in the included files, potentially bypassing access controls, accessing sensitive data, or executing code in scenarios where images or other 'safe' file types can be uploaded and included.
Impact
Exploitation of this vulnerability could result in unauthorized file inclusion, allowing attackers to execute arbitrary PHP code on the server. This could be used to bypass access controls, access sensitive information, or execute malicious code, especially in cases where uploaded files can be included and executed.
Remediation
Users are advised to update the My Auctions Allegro WordPress plugin to version 3.6.33 or a later patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.