CVE-2026-22464
📋 TL;DR
This CVE describes a PHP Local File Inclusion vulnerability in the My auctions allegro WordPress plugin. Attackers can exploit improper filename control in include/require statements to read sensitive files on the server. WordPress sites using the affected plugin versions are vulnerable.
💻 Affected Systems
- My auctions allegro free edition WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via reading sensitive files like /etc/passwd, wp-config.php, or executing arbitrary code through PHP wrappers.
Likely Case
Unauthorized access to sensitive configuration files, database credentials, and potentially limited code execution.
If Mitigated
Limited impact if file permissions are restrictive and PHP wrappers are disabled.
🎯 Exploit Status
Simple HTTP requests can trigger the vulnerability without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.6.33
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'My auctions allegro free edition'. 4. Click 'Update Now' if available. 5. If no update, deactivate and delete the plugin.
🔧 Temporary Workarounds
Disable PHP wrappers
allPrevent PHP from using URL wrappers like php://input or data://
Edit php.ini and set: allow_url_fopen = Off
Edit php.ini and set: allow_url_include = Off
Restrict file permissions
linuxSet strict file permissions on sensitive directories
chmod 640 wp-config.php
chmod 640 /etc/passwd
🧯 If You Can't Patch
- Deactivate and remove the My auctions allegro plugin immediately
- Implement web application firewall rules to block LFI patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > My auctions allegro free edition version numberCheck Version:
wp plugin list --name='my-auctions-allegro-free-edition' --field=versionVerify Fix Applied:
Verify plugin version is greater than 3.6.33 or plugin is removed📡 Detection & Monitoring
Log Indicators:
- HTTP requests with suspicious parameters like 'file=../../etc/passwd'
- PHP warnings about failed file inclusions
Network Indicators:
- HTTP requests to plugin endpoints with path traversal sequences
SIEM Query:
source="web_logs" AND (uri="*my-auctions-allegro*" AND (param="*../*" OR param="*php://*"))