CVE-2024-12255: 
WordPress vulnerability analysis and mitigation

The Accept Stripe Payments Using Contact Form 7 plugin for WordPress contains an Information Exposure vulnerability (CVE-2024-12255) affecting all versions up to and including 2.5. The vulnerability exists in the cf7sa-info.php file that returns phpinfo() data, allowing unauthenticated attackers to access sensitive configuration information (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue stems from the exposure of phpinfo() data through the cf7sa-info.php file, which can be accessed without authentication. This vulnerability has been classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-732 (Incorrect Permission Assignment for Critical Resource) (NVD).

The vulnerability allows unauthenticated attackers to extract sensitive configuration information from the WordPress installation, which could potentially be leveraged in subsequent attacks. The exposure of phpinfo() data can reveal critical system configuration details, including server settings, PHP configuration, and other sensitive information that should not be publicly accessible (NVD).

Users should update to a version newer than 2.5 once available. In the meantime, it is recommended to restrict access to the cf7sa-info.php file through server configuration or remove it entirely if not required for operation (NVD).