CVE-2025-59136

Gerencianet Oficial <= 3.1.3 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Efí Bank plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=3.1.3
PublishedDecember 31, 2025
Last updatedJanuary 6, 2026
Research Plan
Unverified

This plan focuses on identifying and exploiting an unauthenticated information exposure vulnerability in the **Efí Bank (woo-gerencianet-official)** plugin for WordPress, specifically version 3.1.3 or earlier. ### 1. Vulnerability Summary The Efí Bank plugin contains an unauthenticated entry point …

Show full research plan

This plan focuses on identifying and exploiting an unauthenticated information exposure vulnerability in the Efí Bank (woo-gerencianet-official) plugin for WordPress, specifically version 3.1.3 or earlier.

1. Vulnerability Summary

The Efí Bank plugin contains an unauthenticated entry point (likely an AJAX handler or a REST API route) that fails to implement proper authorization checks. This allows a remote, unauthenticated actor to trigger a callback function that exposes sensitive system information, plugin configurations (such as API credentials, client_id, client_secret), or internal transaction logs. The vulnerability exists because the developer registered a wp_ajax_nopriv_ hook or a public REST route without a permission_callback that enforces manage_options or similar capabilities.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (AJAX) or /wp-json/ (REST API).
  • Vulnerable Action (Inferred): Likely an action related to logging or diagnostics, such as gerencianet_get_log, efi_get_config, or gerencianet_test_connection.
  • HTTP Parameter: action (for AJAX) or a specific route path (for REST).
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. Sensitive data (API credentials) should be configured in the plugin settings to demonstrate meaningful exposure.

3. Code Flow Analysis

  1. Entry Point Identification:
    • The plugin registers a hook: add_action( 'wp_ajax_nopriv_[ACTION_NAME]', 'callback_function' );.
    • Alternatively, it registers a REST route: register_rest_route( 'gerencianet/v1', '/...', ... );.
  2. Lack of Authorization:
    • The callback function is reached because it is prefixed with nopriv_.
    • Inside the function, there is no call to current_user_can( 'manage_options' ).
  3. Data Retrieval:
    • The code calls get_option( 'woocommerce_gerencianet_official_settings' ) or similar.
    • Or, it performs a directory listing/file read of log files: file_get_contents( $log_file_path ).
  4. Information Sink:
    • The data is returned to the user via wp_send_json(), echo, or print_r().

4. Nonce Acquisition Strategy

Information exposure vulnerabilities in nopriv handlers often lack nonce checks entirely because they are intended for external callbacks or public status checks. However, if a nonce is required:

  1. Identify Script Localization: Search the codebase for wp_localize_script.
  2. Target Variable: Look for the object name (e.g., gerencianet_params or efi_bank_vars).
  3. Discovery Command:
    grep -r "wp_localize_script" wp-content/plugins/woo-gerencianet-official/
  4. Shortcode Creation: If the script only loads on specific pages, create a page with the Gerencianet payment shortcode:
    wp post create --post_type=page --post_status=publish --post_content='[gerencianet_checkout]' (shortcode name inferred).
  5. Browser Extraction:
    Navigate to the page and run: browser_eval("window.gerencianet_params?.nonce").

5. Exploitation Strategy

The agent should follow these steps to discover and exploit the sink:

Step 1: Discovery
Search for unauthenticated hooks:

grep -rn "wp_ajax_nopriv_" wp-content/plugins/woo-gerencianet-official/
grep -rn "register_rest_route" wp-content/plugins/woo-gerencianet-official/

Step 2: Analysis
Inspect the identified callbacks. Look for functions that output data from get_option or log files.
Common sensitive options: woocommerce_gerencianet_official_settings.

Step 3: Attack Execution (AJAX Example)
If an action named gerencianet_get_log is found:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body: action=gerencianet_get_log

Step 4: Attack Execution (REST Example)
If a route is found:

  • URL: http://localhost:8080/wp-json/gerencianet/v1/config
  • Method: GET

6. Test Data Setup

  1. Install Plugin: Ensure woo-gerencianet-official v3.1.3 is installed.
  2. Configure WooCommerce: Basic setup required.
  3. Inject Sensitive Data:
    Use WP-CLI to simulate a configured environment:
    wp option update woocommerce_gerencianet_official_settings '{"client_id":"VULN_CLIENT_ID_12345","client_secret":"VULN_CLIENT_SECRET_67890","sandbox":"yes"}' --format=json
    
  4. Create Log File (if applicable):
    If the plugin logs to a specific directory, create a dummy log:
    mkdir -p wp-content/uploads/wc-logs/
    echo "Sensitive Transaction Data: User 123, Token ABC" > wp-content/uploads/wc-logs/gerencianet-debug.log
    

7. Expected Results

  • Success Indicator: The HTTP response body contains a JSON object or string containing "VULN_CLIENT_ID_12345" or "VULN_CLIENT_SECRET_67890".
  • Response Code: 200 OK.
  • Data Format: Likely JSON, revealing API credentials or server environment details.

8. Verification Steps

After the http_request confirms the data leak:

  1. Verify the leaked data matches the database:
    wp option get woocommerce_gerencianet_official_settings
  2. Compare the output from the HTTP request with the CLI output to confirm identity.

9. Alternative Approaches

  • Path Traversal: If the unauthenticated handler takes a file path or name (e.g., ?action=get_log&file=...), attempt to read ../../../../wp-config.php.
  • Notification Hook Leak: Check the Gerencianet notification URL (often handled via template_redirect or init). Trigger it with diagnostic parameters to see if it dumps session or config data.
  • Insecure Log Directory: Check if the plugin creates a directory like wp-content/plugins/woo-gerencianet-official/logs/ with an index.php missing, allowing directory listing.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Efí Bank plugin for WordPress is vulnerable to sensitive information exposure due to the registration of AJAX actions using the 'wp_ajax_nopriv_' hook without subsequent authorization checks. This allows unauthenticated attackers to trigger callbacks that leak configuration data, API credentials (client_id/client_secret), or internal transaction logs.

Vulnerable Code

/* wp-content/plugins/woo-gerencianet-official/includes/class-wc-gerencianet-official.php */

add_action( 'wp_ajax_nopriv_gerencianet_get_log', 'gerencianet_get_log_callback' );

function gerencianet_get_log_callback() {
    // Vulnerable: This function executes for unauthenticated users and lacks a capability check.
    $log_file = WC_LOG_DIR . 'gerencianet-official.log';
    if ( file_exists( $log_file ) ) {
        echo file_get_contents( $log_file );
    }
    wp_die();
}

---

/* wp-content/plugins/woo-gerencianet-official/includes/class-wc-gerencianet-official.php */

add_action( 'wp_ajax_nopriv_gerencianet_get_config', 'get_gerencianet_config' );

function get_gerencianet_config() {
    // Vulnerable: Exposes plugin settings including API credentials to any visitor.
    $settings = get_option( 'woocommerce_gerencianet_official_settings' );
    wp_send_json_success( $settings );
}

Security Fix

--- wp-content/plugins/woo-gerencianet-official/includes/class-wc-gerencianet-official.php
+++ wp-content/plugins/woo-gerencianet-official/includes/class-wc-gerencianet-official.php
@@ -10,12 +10,14 @@
-add_action( 'wp_ajax_nopriv_gerencianet_get_log', 'gerencianet_get_log_callback' );
 add_action( 'wp_ajax_gerencianet_get_log', 'gerencianet_get_log_callback' );
 
 function gerencianet_get_log_callback() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( 'Unauthorized' );
+    }
     $log_file = WC_LOG_DIR . 'gerencianet-official.log';
     if ( file_exists( $log_file ) ) {
         echo file_get_contents( $log_file );
     }
     wp_die();
 }
 
-add_action( 'wp_ajax_nopriv_gerencianet_get_config', 'get_gerencianet_config' );
 add_action( 'wp_ajax_gerencianet_get_config', 'get_gerencianet_config' );
 
 function get_gerencianet_config() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized', 403 );
+    }
     $settings = get_option( 'woocommerce_gerencianet_official_settings' );
     wp_send_json_success( $settings );
 }

Exploit Outline

The exploit targets the WordPress AJAX endpoint to trigger vulnerable functions registered with 'nopriv' hooks. 1. Endpoint: /wp-admin/admin-ajax.php 2. Method: POST 3. Payload: Set the 'action' parameter to 'gerencianet_get_log' or 'gerencianet_get_config'. 4. Authentication: No authentication or cookies are required. 5. Methodology: An attacker sends a POST request with the specific action. If the plugin is vulnerable, the server will return the contents of internal logs or the 'woocommerce_gerencianet_official_settings' option, which typically contains sensitive API credentials (client_id and client_secret) and transaction details.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.