A high-severity vulnerability has been identified in the "My auctions allegro" WordPress plugin, affecting all versions up to and including version 3. This flaw allows an unauthenticated attacker to read sensitive files from the underlying server, such as configuration files containing database credentials. Successful exploitation could lead to a complete compromise of the affected website and its data.

The plugin is vulnerable to Local File Inclusion (LFI). This vulnerability stems from improper validation of user-supplied input that is used to construct file paths. An unauthenticated remote attacker can exploit this by crafting a special request containing directory traversal sequences (e.g., ../) to manipulate the file path and force the application to include and display the contents of arbitrary files on the server, such as wp-config.php or /etc/passwd.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could lead to the exposure of highly sensitive information, including database credentials, system user accounts, application source code, and other configuration details. This information could be leveraged by an attacker to escalate privileges, gain full control over the web server, compromise the website's database, and potentially pivot to other systems within the internal network, resulting in significant data breaches, reputational damage, and operational disruption.

Immediate Action: Immediately update the "My auctions allegro" plugin to the latest version available (greater than version 3). If the plugin is not critical to business operations, the recommended course of action is to disable and completely remove it to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for any requests to the vulnerable plugin's components that contain directory traversal patterns (e.g., ../, ..%2f). Implement File Integrity Monitoring (FIM) to generate alerts on any unauthorized access to critical configuration files like wp-config.php.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block LFI and directory traversal attacks. Additionally, enforce strict file system permissions to restrict the web server user's ability to read sensitive files outside of the web root directory.

Public Exploit Available: False

This is a high-severity vulnerability that presents a direct and credible risk of sensitive data exposure and server compromise. Given the ease of exploitation, it is imperative that organizations take immediate action. We strongly recommend that all internet-facing WordPress instances be audited for the presence of the "My auctions allegro" plugin and that the plugin is updated or removed immediately. Although this CVE is not currently on the CISA KEV list, its high CVSS score warrants treatment with the highest priority.