Description
The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.
Published: 2026-05-19
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Fortis for WooCommerce WordPress plugin versions prior to 1.3.1 may reveal sensitive API keys to unauthenticated attackers. These keys allow the attacker to query Fortis' API and obtain confidential customer information, including past orders and personally identifiable information. The vulnerability is an example of information exposure, permitting an attacker to gain unauthorized access to protected data. The affected weakness aligns with CWE-200.

Affected Systems

The vulnerability affects the Fortis for WooCommerce plugin, a WordPress extension used for payment processing, in all releases before version 1.3.1. Any WordPress site deploying these affected versions is susceptible, regardless of other configuration settings. No additional third‑party software is impacted.

Risk and Exploitability

The attack vector is likely via unauthenticated HTTP requests to the plugin’s API endpoints, which are publicly reachable on the site. Because the plugin does not require authentication to expose the key, the exploitation probability is high for sites that expose the endpoint. The CVSS score is not provided in the public data, and no EPSS value is available. The vulnerability is not listed in the CISA KEV catalog. However, the direct exposure of API keys for sensitive customer data warrants immediate remediation.

Generated by OpenCVE AI on May 19, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fortis for WooCommerce to version 1.3.1 or later
  • Re‑issue any API keys that may have been exposed and update the plugin configuration to restrict API key visibility to authorized users only
  • Review the plugin’s endpoints for other potential exposure and limit unauthenticated access by applying HTTP authentication or IP whitelisting

Generated by OpenCVE AI on May 19, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Fortispay
Fortispay fortis For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Fortispay
Fortispay fortis For Woocommerce
Wordpress
Wordpress wordpress

Tue, 19 May 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Tue, 19 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.
Title Fortis For WooCommerce < 1.3.1 - Sensitive API Key Disclosure
References

Subscriptions

Fortispay Fortis For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-19T06:00:10.476Z

Reserved: 2026-03-12T20:17:18.395Z

Link: CVE-2025-15609

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T07:16:29.327

Modified: 2026-05-19T07:16:29.327

Link: CVE-2025-15609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T08:18:26Z

Weaknesses