CVE-2025-12851 is a Local File Inclusion vulnerability in the My auctions allegro plugin for WordPress, affecting all versions up to and including 3.6.32. The vulnerability arises from improper validation of the 'controller' parameter, which is used in PHP include or require statements without sufficient sanitization. This allows unauthenticated attackers to manipulate the parameter to include arbitrary files from the server or potentially remote locations, leading to execution of arbitrary PHP code. The impact includes bypassing access controls, unauthorized data disclosure, and full remote code execution on the affected server. The vulnerability is categorized under CWE-98, which relates to improper control of filenames in include/require statements. The CVSS v3.1 base score is 8.1, reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability's nature makes it a critical risk for WordPress sites using this plugin, especially those handling sensitive auction or e-commerce data. The lack of available patches at the time of publication necessitates immediate attention and mitigation.

The vulnerability allows attackers to execute arbitrary PHP code on the server hosting the vulnerable WordPress plugin, potentially leading to full system compromise. This can result in unauthorized access to sensitive auction data, user credentials, and other confidential information. Attackers may also bypass authentication mechanisms, manipulate or delete data, and disrupt service availability. For organizations relying on this plugin for e-commerce or auction functionality, exploitation could lead to financial losses, reputational damage, and regulatory non-compliance. The ease of exploitation without authentication and user interaction increases the risk of widespread attacks. Additionally, compromised servers could be used as pivot points for further attacks within an organization's network or for launching attacks against other targets.

Since no official patches are currently available, organizations should immediately implement the following mitigations: 1) Disable or remove the My auctions allegro plugin until a secure version is released. 2) Employ Web Application Firewalls (WAFs) with rules specifically designed to detect and block attempts to exploit LFI vulnerabilities, particularly targeting the 'controller' parameter. 3) Restrict file inclusion paths via PHP configuration (e.g., open_basedir) to limit accessible directories. 4) Monitor web server logs for suspicious requests that attempt to manipulate the 'controller' parameter or include unexpected files. 5) Harden server permissions to prevent unauthorized file uploads or modifications. 6) Educate administrators on the risks of installing unverified plugins and encourage regular vulnerability scanning of WordPress environments. Once a patch is released, prioritize immediate update of the plugin to the fixed version.