vulnerability
WordPress Plugin: woocommerce-mercadopago: CVE-2024-3934: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:S/C:C/I:N/A:N) | Jul 19, 2024 | May 15, 2025 | Jun 24, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:C/I:N/A:N)
Published
Jul 19, 2024
Added
May 15, 2025
Modified
Jun 24, 2025
Description
The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to Path Traversal in versions 7.3.0 to 7.5.1 via the mercadopagoDownloadLog function. This makes it possible for authenticated attackers, with subscriber-level access and above, to download and read the contents of arbitrary files on the server, which can contain sensitive information. The arbitrary file download was patched in 7.5.1, while the missing authorization was corrected in version 7.6.2.
Solution
woocommerce-mercadopago-plugin-cve-2024-3934
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.