CVE-2024-10486: 
WordPress vulnerability analysis and mitigation

The Google for WooCommerce plugin for WordPress contains an Information Disclosure vulnerability (CVE-2024-10486) affecting all versions up to and including 2.8.6. The vulnerability was discovered and reported on November 18, 2024, by researcher Francesco Carlucci (Wordfence Intel).

The vulnerability stems from a publicly accessible printphpinformation.php file in the plugin. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

When exploited, this vulnerability allows unauthenticated attackers to retrieve sensitive information about the webserver and PHP configuration. This exposed information can potentially be used by attackers to aid in other attacks against the system (NVD).

Website administrators running affected versions of the Google for WooCommerce plugin should update to a patched version when available. In the meantime, restricting access to the printphpinformation.php file through server configuration could serve as a temporary mitigation measure (NVD).