Description
Unauthenticated Sensitive Data Exposure in Conekta Payment Gateway <= 6.0.0 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Sensitive Data Exposure in the WordPress Conekta Payment Gateway plugin ≤ 6.0.0 allows any user to retrieve confidential transaction or user data that the plugin handles. The flaw is a classic CWE‑497 ‘Improper Restriction of Operations within the Bounds of a Memory Buffer’, meaning the plugin does not adequately protect sensitive information it stores or transmits, leading to potential leakage of payment credentials or customer details.

Affected Systems

Any installation of the WordPress Conekta Payment Gateway plugin up through version 6.0.0 is affected. The plugin is distributed by the Conekta Group and is commonly used on sites that process credit‑card or bank‑transfer transactions.

Risk and Exploitability

The CVSS score of 7.5 highlights the high severity of the exposure, while an EPSS score of < 1 % indicates a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers do not need prior authentication; the likely path to exploitation is a remote HTTP request to a plugin endpoint that returns sensitive data.

Generated by OpenCVE AI on June 18, 2026 at 00:31 UTC.

Remediation

Vendor Solution

Update the WordPress Conekta Payment Gateway Plugin to the latest available version (at least 6.0.1).


OpenCVE Recommended Actions

  • Update the WordPress Conekta Payment Gateway Plugin to version 6.0.1 or later.
  • Remove or disable any legacy plugin files and configuration that remain on the server after the update.
  • If an immediate update cannot be applied, disable the plugin and restrict access to authorized users only, and monitor logs for suspicious activity.

Generated by OpenCVE AI on June 18, 2026 at 00:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Conekta Group
Conekta Group conekta Payment Gateway
Wordpress
Wordpress wordpress
Vendors & Products Conekta Group
Conekta Group conekta Payment Gateway
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in Conekta Payment Gateway <= 6.0.0 versions.
Title WordPress Conekta Payment Gateway plugin <= 6.0.0 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Conekta Group Conekta Payment Gateway
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:19:53.359Z

Reserved: 2026-05-27T10:26:54.457Z

Link: CVE-2026-49066

cve-icon Vulnrichment

Updated: 2026-06-16T01:19:48.281Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:19.417

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49066

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:46Z

Weaknesses
  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere