Aikido Intel
Secure My Code
Intel

AIKIDO-2025-10876

schrammel-codes/magento2-epc-qr-code is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Exposure of Sensitive Information to an Unauthorized Actor Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.

52

Medium Risk

This Affects:

PHPschrammel-codes/magento2-epc-qr-code
1.0.0 - 1.1.2
Fixed in 2.0.0

TL;DR

Affected versions of this package may expose sensitive data because QR codes could be generated without a valid hash. This allowed attackers to iterate over order IDs, reveal payment amounts, and access increment IDs. The fix introduces a required hash derived from unique order attributes, ensuring that QR codes cannot be created—or guessed—without proper authorization.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

schrammel-codes/magento2-epc-qr-code is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in versions 1.0.0 - 1.1.2.

How to fix this

Upgrade the schrammel-codes/magento2-epc-qr-code library to the patch version.

Links

Get Secure Now

Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.

Start for Free
Book a Demo

No credit card required | Scan results in 32secs.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done