Impact
Unauthenticated Sensitive Data Exposure in the WordPress Conekta Payment Gateway plugin ≤ 6.0.0 allows any user to retrieve confidential transaction or user data that the plugin handles. The flaw is a classic CWE‑497 ‘Improper Restriction of Operations within the Bounds of a Memory Buffer’, meaning the plugin does not adequately protect sensitive information it stores or transmits, leading to potential leakage of payment credentials or customer details.
Affected Systems
Any installation of the WordPress Conekta Payment Gateway plugin up through version 6.0.0 is affected. The plugin is distributed by the Conekta Group and is commonly used on sites that process credit‑card or bank‑transfer transactions.
Risk and Exploitability
The CVSS score of 7.5 highlights the high severity of the exposure, while an EPSS score of < 1 % indicates a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers do not need prior authentication; the likely path to exploitation is a remote HTTP request to a plugin endpoint that returns sensitive data.
OpenCVE Enrichment