CVE-2025-12851

CVE-2025-12851 is a Local File Inclusion (LFI) vulnerability in the My Auctions Allegro plugin for WordPress, affecting all versions up to and including 3.6.32. The issue arises from improper handling of the 'controller' parameter, which allows attackers to include and execute arbitrary files on the server, potentially leading to the execution of PHP code within those files. Published on 2025-12-05, it is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program.

Unauthenticated attackers can exploit this vulnerability remotely over the network, though it requires high attack complexity and no user interaction. Successful exploitation enables the inclusion of arbitrary server files, allowing PHP code execution to bypass access controls, exfiltrate sensitive data, or achieve remote code execution in scenarios where "safe" file types like images can be uploaded and subsequently included.

Mitigation is addressed in the plugin patch via changeset 3402268, available at https://plugins.trac.wordpress.org/changeset/3402268/my-auctions-allegro-free-edition. Further details on the vulnerability and remediation are provided in the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/202a8493-6df0-4a5e-b6bf-099219830e01?source=cve. Security practitioners should update the plugin immediately and review server configurations for file upload restrictions.