CVE-2026-7626: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in qqqjus Slek Gateway for WooCommerce
The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb_handle_slek_payment_redirect() function placing the merchant's slek_key and slek_secret API credentials directly into a client-side HTML form, and additionally embedding the slek_secret as a plaintext GET parameter in the IPN callback URL. This makes it possible for unauthenticated attackers who can place an order on the affected store to extract the merchant's API credentials by viewing the HTML source or using browser DevTools on the WooCommerce order-pay page before the JavaScript auto-submit fires.
AI Analysis
Technical Summary
The Slek Gateway for WooCommerce plugin version 1.0 contains an information exposure vulnerability (CWE-200) due to the wsb_handle_slek_payment_redirect() function embedding sensitive API credentials (slek_key and slek_secret) directly into client-side HTML forms and including the slek_secret as a plaintext GET parameter in the IPN callback URL. This design flaw allows unauthenticated attackers who can place an order on the affected WooCommerce store to extract these credentials by inspecting the HTML source or using browser developer tools on the order-pay page before the JavaScript auto-submit triggers. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity) with network attack vector, low attack complexity, no privileges required, and no user interaction needed. There is no vendor advisory or patch currently available.
Potential Impact
The exposure of the merchant's slek_key and slek_secret API credentials can lead to unauthorized access to the merchant's payment gateway account or API, potentially allowing attackers to manipulate payment processes or access sensitive merchant data. However, exploitation requires the ability to place an order on the affected WooCommerce store, which may limit the attack surface. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, merchants should avoid using the vulnerable version 1.0 of the Slek Gateway for WooCommerce plugin. Consider disabling or removing the plugin to prevent exposure of API credentials. Monitor for vendor updates or patches addressing this vulnerability.
CVE-2026-7626: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in qqqjus Slek Gateway for WooCommerce
Description
The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb_handle_slek_payment_redirect() function placing the merchant's slek_key and slek_secret API credentials directly into a client-side HTML form, and additionally embedding the slek_secret as a plaintext GET parameter in the IPN callback URL. This makes it possible for unauthenticated attackers who can place an order on the affected store to extract the merchant's API credentials by viewing the HTML source or using browser DevTools on the WooCommerce order-pay page before the JavaScript auto-submit fires.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Slek Gateway for WooCommerce plugin version 1.0 contains an information exposure vulnerability (CWE-200) due to the wsb_handle_slek_payment_redirect() function embedding sensitive API credentials (slek_key and slek_secret) directly into client-side HTML forms and including the slek_secret as a plaintext GET parameter in the IPN callback URL. This design flaw allows unauthenticated attackers who can place an order on the affected WooCommerce store to extract these credentials by inspecting the HTML source or using browser developer tools on the order-pay page before the JavaScript auto-submit triggers. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity) with network attack vector, low attack complexity, no privileges required, and no user interaction needed. There is no vendor advisory or patch currently available.
Potential Impact
The exposure of the merchant's slek_key and slek_secret API credentials can lead to unauthorized access to the merchant's payment gateway account or API, potentially allowing attackers to manipulate payment processes or access sensitive merchant data. However, exploitation requires the ability to place an order on the affected WooCommerce store, which may limit the attack surface. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, merchants should avoid using the vulnerable version 1.0 of the Slek Gateway for WooCommerce plugin. Consider disabling or removing the plugin to prevent exposure of API credentials. Monitor for vendor updates or patches addressing this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-01T14:03:43.953Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a02e311cbff5d8610bad64b
Added to database: 5/12/2026, 8:21:37 AM
Last enriched: 5/12/2026, 8:37:35 AM
Last updated: 5/13/2026, 5:00:39 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.