CVE-2025-15609
Fortis for WooCommerce API Key Exposure Vulnerability
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortis | fortis_for_woocommerce | to 1.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Fortis for WooCommerce WordPress plugin versions before 1.3.1 have a vulnerability that may leak sensitive API keys to unauthenticated attackers.
These leaked API keys allow attackers to query Fortis' API and retrieve sensitive customer information such as past orders and personally identifiable information (PII).
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive customer data including past orders and PII.
Attackers can exploit the leaked API keys to query the Fortis API without authentication, potentially resulting in data breaches and privacy violations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the proof of concept attack which involves querying the vulnerable endpoint to check if sensitive API keys are exposed.
One suggested command to test this is to run the following in your browser's console while on the affected WooCommerce site:
- await fetch("/wp-admin/admin-ajax.php?action=fortis_ajax_request", { "credentials": "include", "method": "POST" })
If the response contains sensitive API keys or customer information, the vulnerability is present.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to access sensitive API keys and retrieve sensitive customer information, including personally identifiable information (PII) and past orders.
Exposure of PII and customer data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Therefore, exploitation of this vulnerability could result in violations of these standards, potentially leading to legal and financial consequences for affected organizations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Fortis for WooCommerce WordPress plugin to version 1.3.1 or later, as versions before 1.3.1 are vulnerable to sensitive API key disclosure.
If updating is not immediately possible, consider temporarily disabling the plugin or restricting access to the affected AJAX endpoint to authenticated users only to prevent unauthenticated attackers from exploiting the vulnerability.