A high-severity Cross-Site Request Forgery (CSRF) vulnerability has been identified in multiple wphocus My auctions products. This flaw allows an attacker to trick a logged-in user into unknowingly performing malicious actions, such as modifying or deleting auction data, which could lead to financial loss and reputational damage. Organizations are urged to apply the vendor-provided security patches immediately to mitigate this risk.

The vulnerability is a Cross-Site Request Forgery (CSRF) flaw within the "my-auctions-allegro-free-edition" plugin and potentially other products. The application fails to properly validate that requests to perform sensitive actions originate from the legitimate user's interface. An attacker can exploit this by crafting a malicious link or web page and tricking an authenticated user into visiting it. When the victim accesses the malicious content, their browser automatically sends a request to the vulnerable application, including their active session cookies, allowing the attacker to perform actions on behalf of the victim without their consent.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could have a significant negative impact on the business. An attacker could force an administrator or user to perform unauthorized actions such as deleting active auctions, altering auction prices, changing account settings, or redirecting payments. These actions can lead to direct financial loss, loss of customer trust, operational disruption, and damage to the organization's reputation.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor, wphocus, across all instances of the affected software immediately. After patching, it is crucial to monitor application and web server logs for any signs of exploitation attempts that may have occurred before the patch was applied.

Proactive Monitoring: Security teams should actively monitor for anomalies in web server access logs, focusing on unexpected POST requests to administrative or auction management functions. Look for requests with unusual or blank referrer headers, which can be an indicator of a CSRF attempt. Implement alerts for rapid or unauthorized changes to auction listings or user account details.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block common CSRF patterns. Enforce a strict same-site cookie policy and educate privileged users on the risks of clicking unsolicited links, advising them to log out of their sessions when not in use.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the direct potential for financial and reputational harm, this vulnerability requires immediate attention. Although it is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity warrants urgent action. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patches to all affected systems without delay to prevent potential exploitation.