CVE-2023-6064: 
WordPress vulnerability analysis and mitigation

The PayHere Payment Gateway WordPress plugin vulnerability (CVE-2023-6064) was discovered in versions before 2.2.12. The vulnerability was publicly disclosed on December 7, 2023, and involves the plugin automatically creating publicly-accessible log files that contain sensitive information during transaction processing. This security flaw affects websites using the PayHere Payment Gateway WordPress plugin (WPScan Advisory).

The vulnerability is classified as a Sensitive Data Disclosure issue, corresponding to CWE-532 (Insertion of Sensitive Information into Log File) and CWE-200. It has received a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with no required privileges or user interaction (NVD Database).

When transactions occur, the plugin creates log files that are publicly accessible, potentially exposing sensitive transaction information to unauthorized users. This aligns with OWASP Top 10 category A3: Sensitive Data Exposure, presenting a significant risk to payment data confidentiality (WPScan Advisory).

The vulnerability has been fixed in version 2.2.12 of the PayHere Payment Gateway WordPress plugin. Users are strongly advised to update to this version or later to prevent unauthorized access to sensitive log data (WPScan Advisory).