Description
The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Fortis for WooCommerce WordPress plugin versions prior to 1.3.1 may reveal sensitive API keys to unauthenticated attackers. These keys allow the attacker to query Fortis' API and obtain confidential customer information, including past orders and personally identifiable information. The vulnerability is an example of information exposure, permitting an attacker to gain unauthorized access to protected data.

Affected Systems

The vulnerability affects the Fortis for WooCommerce plugin, a WordPress extension used for payment processing, in all releases before version 1.3.1. Any WordPress site deploying these affected versions is susceptible, regardless of other configuration settings. No additional third‑party software is impacted.

Risk and Exploitability

The attack vector is likely via unauthenticated HTTP requests to the plugin’s API endpoints, which are publicly reachable on the site. The EPSS score of <1% indicates a low likelihood of exploitation; however, the vulnerability remains a concern because any exposure of API keys allows an attacker to query Fortis' API and retrieve customer data. The CVSS score is 7.5, and the vulnerability is not listed in the CISA KEV catalog. Immediate remediation is recommended due to the sensitivity of the information exposed.

Generated by OpenCVE AI on May 19, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fortis for WooCommerce to version 1.3.1 or later
  • Re‑issue any API keys that may have been exposed and update the plugin configuration to restrict API key visibility to authorized users only
  • Review the plugin’s endpoints for other potential exposure and limit unauthenticated access by applying HTTP authentication or IP whitelisting

Generated by OpenCVE AI on May 19, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Tue, 19 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Fortispay
Fortispay fortis For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Fortispay
Fortispay fortis For Woocommerce
Wordpress
Wordpress wordpress

Tue, 19 May 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Tue, 19 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.
Title Fortis For WooCommerce < 1.3.1 - Sensitive API Key Disclosure
References

Subscriptions

Fortispay Fortis For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-19T13:16:06.513Z

Reserved: 2026-03-12T20:17:18.395Z

Link: CVE-2025-15609

cve-icon Vulnrichment

Updated: 2026-05-19T13:15:36.576Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T07:16:29.327

Modified: 2026-05-19T14:38:39.660

Link: CVE-2025-15609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T17:30:10Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor