Description
The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb_handle_slek_payment_redirect() function placing the merchant's slek_key and slek_secret API credentials directly into a client-side HTML form, and additionally embedding the slek_secret as a plaintext GET parameter in the IPN callback URL. This makes it possible for unauthenticated attackers who can place an order on the affected store to extract the merchant's API credentials by viewing the HTML source or using browser DevTools on the WooCommerce order-pay page before the JavaScript auto-submit fires.
Published: 2026-05-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Slek Gateway for WooCommerce plugin stores the merchant’s slek_key and slek_secret directly in a client‑side HTML form and also places the slek_secret as a plaintext GET parameter in the IPN callback URL. This flaw allows an attacker to view these credentials by inspecting the HTML source of the WooCommerce order‑pay page before the form auto‑submits, thereby exposing sensitive API credentials.

Affected Systems

The vulnerability affects the 1.0 release of the Slek Gateway for WooCommerce plugin distributed by qqqjus. Any WordPress site that employs this plugin version is at risk if it uses WooCommerce for order processing.

Risk and Exploitability

The CVSS score for the flaw is 5.3, EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers need not be authenticated; they simply place an order and view the order‑pay page source before automatic submission. Because no exploitation data are available, the likelihood of exploitation is uncertain, but the moderate severity and the ease of execution suggest a credible risk.

Generated by OpenCVE AI on May 12, 2026 at 11:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Slek Gateway for WooCommerce plugin to a patched version that removes the credential exposure by the 1.0 release.
  • If an update is not immediately possible, disable or uninstall the plugin to prevent credential exposure until a fix is available.
  • Review future plugin releases to ensure that API credentials are not improperly stored or transmitted client‑side, and validate any custom integrations for secure handling of sensitive data.

Generated by OpenCVE AI on May 12, 2026 at 11:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb_handle_slek_payment_redirect() function placing the merchant's slek_key and slek_secret API credentials directly into a client-side HTML form, and additionally embedding the slek_secret as a plaintext GET parameter in the IPN callback URL. This makes it possible for unauthenticated attackers who can place an order on the affected store to extract the merchant's API credentials by viewing the HTML source or using browser DevTools on the WooCommerce order-pay page before the JavaScript auto-submit fires.
Title Slek Gateway for WooCommerce <= 1.0 - Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T16:48:28.248Z

Reserved: 2026-05-01T14:03:43.953Z

Link: CVE-2026-7626

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:57.727

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-7626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T11:45:14Z

Weaknesses