A vulnerability in the Efí Bank Gerencianet Oficial WordPress plugin up to version 3.1.3 allows an attacker to retrieve sensitive information that is embedded in data sent by the plugin. The flaw was classified as a CWE-201-type insertion of sensitive information into transmitted data, resulting in a confidentiality breach for users whose transaction or login details are exposed.

The affected product is the Gerencianet Oficial WooCommerce plugin distributed by Efí Bank. All releases from the earliest documented version through, and including, 3.1.3 are vulnerable; no specific patch level is listed in the advisory.

The CVSS score of 5.3 indicates a moderate impact, while an EPSS score of 1% suggests a low probability that the flaw will be actively exploited at present. The vulnerability is not part of the CISA KEV catalog. How the flaw is exploited is not described in the advisory, but the description implies that any user capable of interacting with the plugin – potentially even unauthenticated web requests – could trigger a response that contains the hidden sensitive data. The exact attack vector remains unconfirmed, but the disclosed behavior points to a data‑exfiltration risk that could be leveraged via the plugin’s API or normal usage pathways.