CVE-2025-31542

CVE-2025-31542 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, specifically enabling Blind SQL Injection (CWE-89), in the WordPress plugin My Auctions Allegro (my-auctions-allegro-free-edition) developed by wphocus. The issue affects all versions of the plugin up to and including 3.6.20. Published on 2025-03-31, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality impact.

The vulnerability can be exploited remotely by low-privileged authenticated users (PR:L) with low attack complexity and no user interaction required. Successful exploitation allows attackers to perform blind SQL injection, achieving high confidentiality impact (C:H) by extracting sensitive data from the database, alongside low availability impact (A:L) and a scope change (S:C) that amplifies the consequences beyond the vulnerable component.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-20-sql-injection-vulnerability?_s_id=cve details the vulnerability and recommends updating to a patched version beyond 3.6.20 to mitigate the issue.