CVE-2025-59136

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

Tags

WordPress Woocommerce PHP Information Disclosure

Description

Insertion of Sensitive Information Into Sent Data vulnerability in Efí Bank Gerencianet Oficial woo-gerencianet-official allows Retrieve Embedded Sensitive Data.This issue affects Gerencianet Oficial: from n/a through <= 3.1.3.

Analysis

The Efí Bank Gerencianet Oficial WordPress plugin through version 3.1.3 exposes sensitive data by embedding it into sent HTTP requests or responses, allowing attackers to retrieve payment-related information without authentication. This information disclosure vulnerability (CWE-201) affects all installations of the affected plugin versions and is classified as low-risk based on EPSS score (0.04%, 12th percentile), with no public exploit code or active exploitation confirmed.

Technical Context

The vulnerability stems from improper handling of sensitive information in the Gerencianet payment gateway integration plugin for WooCommerce. CWE-201 describes the insertion of sensitive data into outbound communications-in this case, likely API requests, log files, or client-side transmitted data related to payment processing. The plugin integrates with Efí Bank's payment infrastructure, and the flaw allows sensitive payment details (potentially API keys, tokens, transaction data, or customer information) to be exposed in network traffic or stored data that an attacker can access. The vulnerability affects the woo-gerencianet-official WordPress plugin CPE (wp:plugin:woo-gerencianet-official) across versions up to and including 3.1.3.

Affected Products

The Efí Bank Gerencianet Oficial WordPress plugin (woo-gerencianet-official) is affected in all versions from the earliest through version 3.1.3. This is a WooCommerce payment gateway extension distributed via the WordPress Plugin Directory. Installations of this plugin on any WordPress site with WooCommerce are vulnerable if not updated beyond version 3.1.3.

Remediation

Update the Gerencianet Oficial plugin to the latest available version beyond 3.1.3. Site administrators should immediately navigate to WordPress Admin Dashboard > Plugins > Installed Plugins, locate 'Gerencianet Oficial', and click 'Update' to apply the patched version. Additionally, review server logs and API request history to ensure no sensitive payment data (API keys, tokens, transaction IDs) has been exposed or logged in plaintext; rotate any API credentials that may have been embedded in requests. Verify that sensitive data is not cached in browser history or proxy logs. For detailed remediation guidance and patch availability confirmation, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/woo-gerencianet-official/vulnerability/wordpress-gerencianet-oficial-plugin-3-1-3-sensitive-data-exposure-vulnerability.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-59136 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy