WordPress Plugin Vulnerabilities

PayHere Payment Gateway < 2.2.12 - Unauthenticated Log Data Disclosure

Description

The plugin automatically creates publicly-accessible log files containing sensitive information when transactions occur.

Proof of Concept

https://www.suppliment.lk/wp-content/uploads/payhere-logs/?SD
https://www.medic.lk/wp-content/uploads/payhere-logs/?SD

Affects Plugins

Plugin icon
payhere-payment-gateway
Fixed in 2.2.12

References

CVE
CVE-2023-6064

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200

Miscellaneous

Original Researcher
Supun Halangoda
Submitter
Supun Halangoda
Submitter website
https://supunhalangoda.com
Submitter twitter
suppaboy
Verified
Yes
WPVDB ID
423c8881-628b-4380-9677-65b3f5165efe

Timeline

Publicly Published
2023-12-07 (about 5 months ago)
Added
2023-12-08 (about 5 months ago)
Last Updated
2023-12-08 (about 5 months ago)

Other

Published
Title
Published
2024-02-17
Title
Seriously Simple Podcasting < 3.0.0 - Unauthenticated Administrator Email Disclosure
Published
2023-11-14
Title
EWWW Image Optimizer < 7.2.1 - Unauthenticated Sensitive Information Exposure via Debug Log
Published
2023-08-14
Title
InfiniteWP Client < 1.12.1 - Unauthenticated Sensitive Information Exposure
Published
2022-11-10
Title
Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure
Published
2021-02-23
Title
Web-Stat < 1.4.1 - API Key Disclosure