CVE-2024-3934

MEDIUM

Mercado Pago payments for WooCommerce <7.5.1 - Path Traversal

Title source: llm

Description

The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to Path Traversal in versions 7.3.0 to 7.5.1 via the mercadopagoDownloadLog function. This makes it possible for authenticated attackers, with subscriber-level access and above, to download and read the contents of arbitrary files on the server, which can contain sensitive information. The arbitrary file download was patched in 7.5.1, while the missing authorization was corrected in version 7.6.2.

References (4)

Core 4

Core References

Product

https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/trunk/src/Admin/Settings.php#L663

Product

https://plugins.trac.wordpress.org/changeset/3098023/woocommerce-mercadopago/trunk/src/IO/Downloader.php?old=3078706&old_path=woocommerce-mercadopago%2Ftrunk%2Fsrc%2FIO%2FDownloader.php

Product

https://plugins.trac.wordpress.org/changeset/3119214/woocommerce-mercadopago/tags/7.6.2/src/IO/Downloader.php?old=3108278&old_path=woocommerce-mercadopago%2Ftags%2F7.6.1%2Fsrc%2FIO%2FDownloader.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/1674e81e-6a75-436c-b219-8ec0a484a134?source=cve

Scores

CVSS v3 6.5

EPSS 0.0067

EPSS Percentile 47.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

claudiosanches/Mercado Pago payments for WooCommerce 7.3.0 - 7.6.1

Published Jul 20, 2024

Tracked Since Feb 18, 2026