The Mercado Pago payments plugin for WooCommerce, developed by claudiosanches, contains a path traversal vulnerability identified as CVE-2024-3934. This vulnerability exists in versions 7.3.0 through 7.5.1 within the mercadopagoDownloadLog function. The flaw allows authenticated attackers with subscriber-level privileges or higher to manipulate file path inputs to access and download arbitrary files from the hosting server. This is due to improper limitation of pathname inputs (CWE-22), enabling traversal outside the intended restricted directory. The unauthorized file access can expose sensitive data such as configuration files, credentials, or logs. The arbitrary file download issue was fixed in version 7.5.1, but authorization checks were only added in version 7.6.2, meaning earlier patched versions might still allow unauthorized access if attackers have subscriber-level accounts. The vulnerability requires no user interaction beyond authentication and can be exploited remotely over the network. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality impact without affecting integrity or availability. No public exploits or active exploitation have been reported to date. The vulnerability affects WordPress sites using the Mercado Pago payments plugin within the specified versions, which is popular in e-commerce environments, especially in Latin America. The vulnerability highlights the risk of insufficient input validation and missing authorization in web application plugins handling payment processing and sensitive data.

The primary impact of CVE-2024-3934 is unauthorized disclosure of sensitive server-side files, which can include configuration files, API keys, payment credentials, or user data. This compromises confidentiality and can lead to further attacks such as credential theft, privilege escalation, or data breaches. Since the vulnerability requires only subscriber-level authentication, attackers can exploit it even with limited access, increasing the attack surface. For organizations running WooCommerce stores with Mercado Pago payments, this can result in loss of customer trust, regulatory penalties, and financial damage. The vulnerability does not directly affect data integrity or availability, but the exposure of sensitive information can facilitate subsequent attacks that do. The risk is particularly significant for e-commerce businesses handling payment transactions and personal data. Although no known exploits are currently active, the medium severity score and ease of exploitation warrant prompt remediation to prevent potential compromise.

Organizations should immediately upgrade the Mercado Pago payments for WooCommerce plugin to version 7.6.2 or later, which fully addresses the vulnerability by fixing both arbitrary file download and missing authorization. Until the upgrade is applied, restrict subscriber-level access to trusted users only and monitor for suspicious activity related to file downloads. Implement web application firewall (WAF) rules to detect and block path traversal attempts targeting the mercadopagoDownloadLog function. Review server file permissions to minimize exposure of sensitive files and logs. Conduct regular security audits of WordPress plugins and maintain an inventory of installed versions to quickly identify vulnerable components. Additionally, consider isolating the WordPress environment and using security plugins that enforce strict input validation and access controls. Educate administrators and users about the risks of granting unnecessary privileges and enforce the principle of least privilege for user roles.