SecuriTricks - CVE-2024-6448

Description

The Mollie Payments for WooCommerce plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 7.7.0. This is due to the error reporting being enabled by default in multiple plugin files. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use.

Product(s) Impacted

Product	Versions
Mollie Payments for WooCommerce plugin	up to 7.7.0

Weaknesses

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://plugins.trac.wordpress.org/browser/mollie-payments-for-woocommerce/tags/7.5.5/vendor/mollie/mollie-api-php/examples/initialize.php#L5

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3142176%40mollie-payments-for-woocommerce&new=3142176%40mollie-payments-for-woocommerce&sfp_email=&sfph_mail=

https://www.wordfence.com/threat-intel/vulnerabilities/id/0c98026c-28a9-4c69-9f34-4c3bd4f75d85?source=cve

CVSS Score

5.3 / 10

CVSS Data

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: NONE
Availability Impact: NONE

View Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Date

Published: Aug. 28, 2024, 4:15 a.m.
Last Modified: Aug. 28, 2024, 12:57 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@wordfence.com

CVE-2024-6448