Vulnerabilities and security researches forultimate-auction ultimate-auction

Jun 07, 2024

CVE, Research URL: 8e7d1b2e96560e4407df0ba2ca77d987e31618b7
Home page URL: Security reports for Ultimate WordPress Auction Plugin
Application: Ultimate WordPress Auction Plugin
Date: Jan 09, 2020
Research Description: Ultimate WordPress Auction Plugin [ultimate-auction] < 4.0.6 (closed) WordPress Ultimate Auction plugin <= 4.0.5 - Multiple CSRF & XSS vulnerabilities Multiple CSRF & XSS vulnerabilities found in WordPress Ultimate Auction plugin (versions <= 4.0.5).
Affected versions: max 4.0.6.
Status: vulnerable

Jul 12, 2024

CVE, Research URL: CVE-2024-37543
Home page URL: Security reports for Ultimate WordPress Auction Plugin
Application: Ultimate WordPress Auction Plugin
Date: Jan 02, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Nitesh Singh Ultimate Auction allows Cross Site Request Forgery.This issue affects Ultimate Auction : from n/a through 4.2.5.
Affected versions: max 4.2.6.
Status: vulnerable

Jul 28, 2024

CVE, Research URL: CVE-2024-6591
Home page URL: Security reports for Ultimate WordPress Auction Plugin
Application: Ultimate WordPress Auction Plugin
Date: Jul 27, 2024
Research Description: The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized email creation and sending due to a missing capability check on the 'send_auction_email_callback' and 'resend_auction_email_callback' functions in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to craft emails that include links and send to any email address.
Affected versions: max 4.2.8.
Status: vulnerable

Mar 05, 2025

CVE, Research URL: CVE-2025-0958
Home page URL: Security reports for Ultimate WordPress Auction Plugin
Application: Ultimate WordPress Auction Plugin
Date: Mar 04, 2025
Research Description: The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 4.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary auctions, posts as well as pages and allows them to execute other actions related to auction handling.
Affected versions: max 4.3.0.
Status: vulnerable

Jan 10, 2026

CVE, Research URL: CVE-2025-68084
Home page URL: Security reports for Ultimate WordPress Auction Plugin
Application: Ultimate WordPress Auction Plugin
Date: Dec 16, 2025
Research Description: Missing Authorization vulnerability in Nitesh Ultimate Auction ultimate-auction allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Auction : from n/a through <= 4.3.2.
Affected versions: max 4.3.2.
Status: vulnerable

CVE, Research URL: CVE-2025-66125
Home page URL: Security reports for Ultimate WordPress Auction Plugin
Application: Ultimate WordPress Auction Plugin
Date: Dec 16, 2025
Research Description: Insertion of Sensitive Information Into Sent Data vulnerability in Nitesh Ultimate Auction ultimate-auction allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Auction : from n/a through <= 4.3.2.
Affected versions: max 4.3.2.
Status: vulnerable