The Cart66 Cloud plugin for WordPress versions up to and including 2.3.7 contains a sensitive information exposure vulnerability (CWE-200) via an accessible phpinfo.php script. This script can be accessed without authentication, allowing attackers to view potentially sensitive server and environment information. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), with an attack vector of network, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact. No patch or vendor advisory has been provided to confirm remediation status.

An unauthenticated attacker can access the phpinfo.php script, exposing sensitive information such as server configuration and environment variables. This exposure could facilitate further attacks but does not directly affect data integrity or system availability. No known exploitation in the wild has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the phpinfo.php script by removing it or limiting access via web server configuration or firewall rules.