CVE-2025-15609
Deferred Deferred - Pending Action
Fortis for WooCommerce API Key Exposure Vulnerability

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: WPScan

Description
The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2025-15609
EUVD
EUVD-2025-209890
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fortis fortis_for_woocommerce to 1.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Fortis for WooCommerce WordPress plugin versions before 1.3.1 have a vulnerability that may leak sensitive API keys to unauthenticated attackers.

These leaked API keys allow attackers to query Fortis' API and retrieve sensitive customer information such as past orders and personally identifiable information (PII).

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive customer data including past orders and PII.

Attackers can exploit the leaked API keys to query the Fortis API without authentication, potentially resulting in data breaches and privacy violations.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the proof of concept attack which involves querying the vulnerable endpoint to check if sensitive API keys are exposed.

One suggested command to test this is to run the following in your browser's console while on the affected WooCommerce site:

  • await fetch("/wp-admin/admin-ajax.php?action=fortis_ajax_request", { "credentials": "include", "method": "POST" })

If the response contains sensitive API keys or customer information, the vulnerability is present.

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive API keys and retrieve sensitive customer information, including personally identifiable information (PII) and past orders.

Exposure of PII and customer data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, exploitation of this vulnerability could result in violations of these standards, potentially leading to legal and financial consequences for affected organizations.

Mitigation Strategies

To mitigate this vulnerability, immediately update the Fortis for WooCommerce WordPress plugin to version 1.3.1 or later, as versions before 1.3.1 are vulnerable to sensitive API key disclosure.

If updating is not immediately possible, consider temporarily disabling the plugin or restricting access to the affected AJAX endpoint to authenticated users only to prevent unauthenticated attackers from exploiting the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15609. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart