CVE-2026-7626
Information Exposure in Slek Gateway for WooCommerce Plugin
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | slek_gateway | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Slek Gateway for WooCommerce plugin for WordPress, version 1.0. It occurs because the function wsb_handle_slek_payment_redirect() places the merchant's API credentials (slek_key and slek_secret) directly into a client-side HTML form. Additionally, the slek_secret is embedded as a plaintext GET parameter in the IPN callback URL.
This means that unauthenticated attackers who can place an order on the affected WooCommerce store can extract these sensitive API credentials by viewing the HTML source or using browser developer tools on the order payment page before the JavaScript auto-submit executes.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of the merchant's API credentials to unauthorized parties. Attackers who obtain these credentials could potentially misuse the API to perform unauthorized actions on behalf of the merchant.
Since the vulnerability allows information exposure without requiring authentication, it increases the risk of credential theft and subsequent fraudulent activities or manipulation of the merchant's WooCommerce store.