CVE-2026-7626
Received Received - Intake
Information Exposure in Slek Gateway for WooCommerce Plugin

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: Wordfence

Description
The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb_handle_slek_payment_redirect() function placing the merchant's slek_key and slek_secret API credentials directly into a client-side HTML form, and additionally embedding the slek_secret as a plaintext GET parameter in the IPN callback URL. This makes it possible for unauthenticated attackers who can place an order on the affected store to extract the merchant's API credentials by viewing the HTML source or using browser DevTools on the WooCommerce order-pay page before the JavaScript auto-submit fires.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-12
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-7626
EUVD
EUVD-2026-29419
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
woocommerce slek_gateway 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Slek Gateway for WooCommerce plugin for WordPress, version 1.0. It occurs because the function wsb_handle_slek_payment_redirect() places the merchant's API credentials (slek_key and slek_secret) directly into a client-side HTML form. Additionally, the slek_secret is embedded as a plaintext GET parameter in the IPN callback URL.

This means that unauthenticated attackers who can place an order on the affected WooCommerce store can extract these sensitive API credentials by viewing the HTML source or using browser developer tools on the order payment page before the JavaScript auto-submit executes.

Impact Analysis

This vulnerability can lead to the exposure of the merchant's API credentials to unauthorized parties. Attackers who obtain these credentials could potentially misuse the API to perform unauthorized actions on behalf of the merchant.

Since the vulnerability allows information exposure without requiring authentication, it increases the risk of credential theft and subsequent fraudulent activities or manipulation of the merchant's WooCommerce store.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7626. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart