Sensitive Information Exposure in CTT Expresso Plugin
CVE-2024-6687

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Ctt Expresso Para WooCommerce
Vendor: CVE Published:; 1 August 2024

Summary

The CTT Expresso para WooCommerce plugin for WordPress presents a significant security issue due to the exposure of sensitive information. All versions up to and including 3.2.12 are vulnerable, allowing unauthorized access to the /wp-content/uploads/cepw directory. This directory contains generated .pdf and log files accessible to the public, revealing sensitive data such as sender and receiver names, contact numbers, physical addresses, and email addresses. Organizations using this plugin should assess their risk and take immediate steps to secure their data.

Affected Version(s)

CTT Expresso para WooCommerce * <= 3.2.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 1, 2024
Vulnerability Reserved
Jul 11, 2024

Credit

Ricardo Silva