CVE-2023-6064
📋 TL;DR
The PayHere Payment Gateway WordPress plugin before version 2.2.12 automatically creates publicly accessible log files containing sensitive transaction data when payments are processed. This exposes payment information, customer details, and potentially authentication credentials to anyone who can access the log files. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- PayHere Payment Gateway WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers access sensitive payment data including credit card information, customer PII, and authentication credentials, leading to financial fraud, identity theft, and complete site compromise.
Likely Case
Attackers harvest customer payment information and personal data for fraud or resale on dark web markets.
If Mitigated
With proper access controls and monitoring, unauthorized access attempts are detected and blocked before data exfiltration occurs.
🎯 Exploit Status
Exploitation requires only web browser access to locate and read log files. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.12
Vendor Advisory: https://wpscan.com/vulnerability/423c8881-628b-4380-9677-65b3f5165efe
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find PayHere Payment Gateway. 4. Click 'Update Now' if update available. 5. If no update shows, manually download version 2.2.12+ from WordPress repository.
🔧 Temporary Workarounds
Remove existing log files
linuxDelete all existing log files created by the plugin to remove exposed data
find /path/to/wordpress -name "*payhere*log*" -type f -delete
find /path/to/wordpress -name "*.log" -path "*/payhere/*" -type f -delete
Block access to log directories
linuxAdd .htaccess rules to block public access to plugin directories
echo 'Deny from all' > /path/to/wordpress/wp-content/plugins/payhere/.htaccess
🧯 If You Can't Patch
- Disable the PayHere plugin immediately and use alternative payment gateway
- Implement web application firewall rules to block access to log file paths
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for plugin version. If PayHere Payment Gateway version is below 2.2.12, site is vulnerable.Check Version:
wp plugin list --name=payhere --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.2.12 or higher in WordPress admin. Check that no new log files are created in publicly accessible locations during test transactions.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 requests to paths containing 'payhere' and '.log' extensions
- Unusual access patterns to plugin directories
Network Indicators:
- External IPs accessing /wp-content/plugins/payhere/*.log files
- Traffic spikes to log file paths
SIEM Query:
source="web_access_logs" AND (uri_path="/wp-content/plugins/payhere/*.log" OR uri_path="*.log" AND user_agent!="bot")