CVE-2025-2841: Cart66 Cloud <= 2.3.7 - Unauthenticated Information Exposure

5.3 CVSS

Description

The Cart66 Cloud plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.7 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.

Classification

CVE ID: CVE-2025-2841

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Affected Products

Vendor: reality66

Product: Cart66 Cloud :: WordPress Ecommerce The Easy Way

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.76% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2841
https://www.wordfence.com/threat-intel/vulnerabilities/id/5be01bba-e4f4-4818-9612-fc37b648a349?source=cve
https://plugins.trac.wordpress.org/browser/cart66-cloud/tags/2.3.7/views/admin/html-system-info.php#L26
https://plugins.trac.wordpress.org/browser/cart66-cloud/tags/2.3.7/views/admin/html-system-info.php#L39
https://plugins.trac.wordpress.org/browser/cart66-cloud/tags/2.3.7/views/admin/html-system-info.php#L59
https://wordpress.org/plugins/cart66-cloud/#developers

Timeline

2025-04-12 03:40:21 UTC
CVE

Cart66 Cloud <= 2.3.7 - Unauthenticated Information Exposure