CVE-2024-6687 is a CWE-200 classified vulnerability found in the CTT Expresso para WooCommerce plugin for WordPress, affecting all versions up to and including 3.2.12. The vulnerability arises because the plugin stores generated .pdf and log files containing sensitive personal information—such as sender and receiver names, phone numbers, physical addresses, and email addresses—in the /wp-content/uploads/cepw directory. This directory is publicly accessible by default, allowing any unauthenticated user to retrieve these files simply by knowing or guessing the URL path. The exposure of such personally identifiable information (PII) can lead to privacy violations and may facilitate further attacks like social engineering or identity theft. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (remote), no privileges required, no user interaction, and limited impact confined to confidentiality. No integrity or availability impacts are reported. No patches or mitigations have been officially released yet, and there are no known exploits in the wild. The vulnerability is significant because WooCommerce is widely used globally for e-commerce, and the plugin is specifically tailored for CTT Expresso shipping services, which are primarily used in Portugal but may also be used by Portuguese-speaking communities elsewhere. The exposure of sensitive customer data can lead to regulatory non-compliance, reputational damage, and potential legal consequences for affected organizations.

The primary impact of CVE-2024-6687 is the unauthorized disclosure of sensitive customer information, including names, phone numbers, physical addresses, and email addresses. This can result in privacy breaches and may violate data protection regulations such as GDPR, especially for organizations operating within or serving customers in the European Union. Attackers could leverage the exposed data for phishing campaigns, social engineering attacks, or identity theft. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can cause significant reputational damage and loss of customer trust. Organizations using the affected plugin risk regulatory fines and legal actions if they fail to protect customer data adequately. The ease of exploitation—requiring no authentication or user interaction—makes this vulnerability particularly concerning for publicly accessible e-commerce websites. Since WooCommerce powers a large number of online stores worldwide, the scope of affected systems is considerable, especially for those using the CTT Expresso para WooCommerce plugin for shipping integration.

To mitigate CVE-2024-6687, organizations should immediately restrict public access to the /wp-content/uploads/cepw directory by implementing web server access controls such as .htaccess rules or equivalent configurations to deny unauthenticated HTTP requests. If possible, move sensitive files to non-public directories or configure the plugin to store sensitive documents in locations not directly accessible via URL. Monitor web server logs for unusual access patterns to the uploads directory that may indicate exploitation attempts. Regularly audit and remove any sensitive files that should not be publicly accessible. Organizations should also check for plugin updates or patches from the vendor and apply them promptly once available. As a longer-term measure, consider implementing data minimization practices to avoid storing sensitive information in publicly accessible locations and enforce strict access controls on all customer data. Additionally, informing customers about the breach and reviewing compliance with data protection regulations is advisable.