CVE-2024-6687: 
WordPress vulnerability analysis and mitigation

The CTT Expresso para WooCommerce plugin for WordPress contains a sensitive information exposure vulnerability (CVE-2024-6687) affecting all versions up to and including 3.2.12. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on July 31, 2024 (Wordfence Advisory).

The vulnerability exists in the /wp-content/uploads/cepw directory where generated .pdf and log files are stored. These files are publicly accessible without proper access controls. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, while Wordfence assessed it with a score of 5.3 (MEDIUM) (NVD Database).

The vulnerability exposes sensitive customer information stored in PDF and log files, including sender and receiver names, phone numbers, physical addresses, and email addresses. This information exposure could lead to privacy violations and potential misuse of personal data (NVD Database).

A patch has been released in version 3.2.13 of the CTT Expresso para WooCommerce plugin. Users are advised to update to this version or later to address the vulnerability (WordPress Plugin).