CVE-2023-6064 is a high-severity information exposure vulnerability affecting the PayHere Payment Gateway WordPress plugin versions prior to 2.2.12. The vulnerability arises because the plugin automatically generates log files that are publicly accessible on the web server whenever payment transactions occur. These log files contain sensitive information related to the transactions, which could include personally identifiable information (PII), payment details, or other confidential data. Since the logs are accessible without authentication or user interaction, any attacker or unauthorized user can retrieve these files simply by knowing or guessing their location. The vulnerability is classified under CWE-200 (Information Exposure), indicating that sensitive information is inadvertently disclosed to unauthorized parties. The CVSS 3.1 base score of 7.5 reflects a high severity due to the ease of remote exploitation (network vector, no privileges required, no user interaction) and the high impact on confidentiality, although integrity and availability are not affected. No known exploits are currently reported in the wild, and no official patches or updates are linked yet, but the issue is publicly disclosed and documented by WPScan and CVE databases. This vulnerability specifically targets WordPress sites using the PayHere Payment Gateway plugin, which is a niche but critical component for e-commerce and online payment processing on WordPress platforms.

For European organizations, especially those operating e-commerce websites or online services using WordPress with the PayHere Payment Gateway plugin, this vulnerability poses a significant risk to customer data confidentiality. Exposure of sensitive payment transaction logs can lead to data breaches involving customer names, payment details, and potentially other personal information protected under GDPR. Such breaches can result in regulatory penalties, loss of customer trust, and reputational damage. Additionally, exposed payment information could facilitate fraud, identity theft, or targeted phishing attacks against affected customers. Since the vulnerability does not affect integrity or availability, the primary concern is unauthorized data disclosure. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and data harvesting by malicious actors. European organizations must consider the compliance implications under GDPR and the potential financial and operational impacts of a data breach stemming from this vulnerability.

Immediate mitigation steps include: 1) Updating the PayHere Payment Gateway plugin to version 2.2.12 or later once available, as this will likely address the issue by restricting log file access or disabling public logging. 2) Until an official patch is released, administrators should manually restrict access to the log files by configuring web server rules (e.g., .htaccess for Apache or equivalent for Nginx) to deny public access to the log directory or files. 3) Review and audit existing log files for any sensitive data exposure and securely delete or archive them offline. 4) Implement monitoring and alerting for unauthorized access attempts to log files or unusual file access patterns. 5) Consider disabling logging features in the plugin if feasible without disrupting payment processing. 6) Conduct a thorough security review of all WordPress plugins and ensure minimal exposure of sensitive data through logs or other mechanisms. 7) Educate development and operations teams about secure logging practices and the risks of publicly accessible sensitive information. These targeted mitigations go beyond generic advice by focusing on immediate access control and log management specific to this vulnerability.