CVE-2025-2841: 
WordPress vulnerability analysis and mitigation

The Cart66 Cloud plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2025-2841) affecting all versions up to and including 2.3.7. The vulnerability was discovered and disclosed on April 11, 2025, impacting the WordPress e-commerce plugin through its publicly accessible phpinfo.php script (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability exists in the system information display functionality of the plugin, specifically through an exposed phpinfo.php script (NVD).

The vulnerability allows unauthenticated attackers to access potentially sensitive information contained in the exposed phpinfo file. This information could include server configuration details, PHP settings, and other system-related information that could be used to plan further attacks (NVD).

Users of the Cart66 Cloud plugin should upgrade to a version newer than 2.3.7 once available. Until then, website administrators should consider implementing additional security controls to restrict access to the affected file (NVD).