Conekta Payment Gateway Security & Risk Analysis

wordpress.org/plugins/conekta-payment-gateway

WooCommerce Payment Gateway for Conekta.io This bundles functionality to process credit cards and cash payments securely as well as send email notific …

2K active installs v5.4.14 PHP 7.4+ WP 6.6.2+ Updated Apr 10, 2026
cashconektafreemexicopayment-gateway
99
A · Safe
CVEs total1
Unpatched0
Last CVEJun 8, 2026
Safety Verdict

Is Conekta Payment Gateway Safe to Use in 2026?

Generally Safe

Score 99/100

Conekta Payment Gateway has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Jun 8, 2026Updated 3mo ago
Risk Assessment

The conekta-payment-gateway plugin version 5.4.8 presents a mixed security posture. On the positive side, it demonstrates good practices regarding SQL queries, exclusively using prepared statements, and the absence of known critical or high-severity vulnerabilities in its history. This suggests a developer aware of common pitfalls. However, the static analysis reveals significant concerns, particularly in the handling of entry points. The presence of one REST API route without permission callbacks is a major weakness, as it exposes a potentially unprotected endpoint to unauthorized access. Furthermore, the lack of nonce checks and capability checks on any of its entry points, combined with a relatively high percentage (77%) of properly escaped outputs, indicates a potential for certain types of attacks if the unprotected REST API route can be manipulated. The bundled Guzzle library should be monitored for known vulnerabilities, although no specific issues are indicated in the provided data.

Overall, while the plugin has a clean vulnerability history and good SQL hygiene, the unprotected REST API endpoint represents a critical security risk. The absence of authentication and authorization checks on this entry point makes it a prime target for various web attacks. The other analyzed areas like AJAX handlers, shortcodes, and cron events being absent or protected are positive, but they do not mitigate the risk posed by the exposed REST API. A balanced conclusion would be that the plugin has potential for good security, but this specific version has a critical flaw that requires immediate attention.

Key Concerns

  • REST API routes without permission callbacks
  • Missing nonce checks on entry points
  • Missing capability checks on entry points
  • Output escaping below 100%
Vulnerabilities
1 published

Conekta Payment Gateway Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-49066medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Conekta Payment Gateway <= 6.0.0 - Unauthenticated Information Exposure

Jun 8, 2026 Patched in 6.0.1 (11d)
Version History

Conekta Payment Gateway Release Timeline

v5.4.14Current1 CVE
v5.4.131 CVE
v5.4.121 CVE
v5.4.111 CVE
v5.4.101 CVE
v5.4.91 CVE
v5.4.81 CVE
v5.4.71 CVE
v5.4.61 CVE
v5.4.51 CVE
v5.4.41 CVE
v5.4.31 CVE
v5.4.21 CVE
v5.4.11 CVE
v5.4.01 CVE
v5.3.01 CVE
v5.2.71 CVE
v5.2.61 CVE
v5.2.51 CVE
v5.2.41 CVE
Code Analysis
Analyzed Mar 16, 2026

Conekta Payment Gateway Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
36
120 escaped
Nonce Checks
0
Capability Checks
0
File Operations
7
External Requests
0
Bundled Libraries
1

Bundled Libraries

Guzzle

Output Escaping

77% escaped156 total outputs
Attack Surface
1 unprotected

Conekta Payment Gateway Attack Surface

Entry Points1
Unprotected1

REST API Routes 1

POST/wp-json/conekta/v1/create-3ds-orderconekta-rest-api.php:23
WordPress Hooks 44
actionrest_api_initconekta-rest-api.php:16
actioninitconekta-rest-api.php:510
actionwoocommerce_api_wc_conekta_bank_transferconekta_bank_transfer_block_gateway.php:54
actionwoocommerce_email_before_order_tableconekta_bank_transfer_block_gateway.php:55
actionwoocommerce_email_before_order_tableconekta_bank_transfer_block_gateway.php:56
filterwoocommerce_payment_gatewaysconekta_bank_transfer_block_gateway.php:342
actionwoocommerce_blocks_loadedconekta_bank_transfer_block_gateway.php:344
actionwoocommerce_blocks_payment_method_type_registrationconekta_bank_transfer_block_gateway.php:349
actionwoocommerce_api_wc_conektaconekta_block_gateway.php:69
actionwoocommerce_rest_checkout_process_payment_with_contextconekta_block_gateway.php:81
filterwoocommerce_payment_gatewaysconekta_block_gateway.php:527
actionwoocommerce_blocks_loadedconekta_block_gateway.php:528
actionwoocommerce_blocks_payment_method_type_registrationconekta_block_gateway.php:534
actionwoocommerce_api_wc_conekta_bnplconekta_bnpl_block_gateway.php:52
filterwoocommerce_payment_gatewaysconekta_bnpl_block_gateway.php:262
actionwoocommerce_blocks_loadedconekta_bnpl_block_gateway.php:264
actionwoocommerce_blocks_payment_method_type_registrationconekta_bnpl_block_gateway.php:269
actionwp_enqueue_scriptsconekta_card_gateway.php:71
actionadmin_noticesconekta_card_gateway.php:76
filterwoocommerce_payment_gatewaysconekta_card_gateway.php:360
actionwoocommerce_api_wc_conekta_cashconekta_cash_block_gateway.php:59
actionwoocommerce_email_before_order_tableconekta_cash_block_gateway.php:60
actionwoocommerce_email_before_order_tableconekta_cash_block_gateway.php:61
filterwoocommerce_payment_gatewaysconekta_cash_block_gateway.php:430
actionwp_enqueue_scriptsconekta_cash_block_gateway.php:432
actionwoocommerce_blocks_loadedconekta_cash_block_gateway.php:441
actionwoocommerce_blocks_payment_method_type_registrationconekta_cash_block_gateway.php:446
actionwoocommerce_email_before_order_tableconekta_cash_gateway.php:66
actionwoocommerce_email_before_order_tableconekta_cash_gateway.php:70
filterwoocommerce_payment_gatewaysconekta_cash_gateway.php:411
actionwoocommerce_order_status_processing_to_completedconekta_cash_gateway.php:412
actionplugins_loadedconekta_checkout.php:38
actionwp_enqueue_scriptsconekta_checkout.php:50
actionwoocommerce_api_wc_conekta_pay_by_bankconekta_pay_by_bank_block_gateway.php:54
actionwoocommerce_email_before_order_tableconekta_pay_by_bank_block_gateway.php:55
actionwoocommerce_email_before_order_tableconekta_pay_by_bank_block_gateway.php:56
filterwoocommerce_payment_gatewaysconekta_pay_by_bank_block_gateway.php:434
actionwoocommerce_blocks_loadedconekta_pay_by_bank_block_gateway.php:436
actionwoocommerce_blocks_payment_method_type_registrationconekta_pay_by_bank_block_gateway.php:441
actionwoocommerce_api_conekta_3ds_callbackconekta_plugin.php:262
actionwoocommerce_email_before_order_tableconekta_spei_gateway.php:62
actionwoocommerce_email_before_order_tableconekta_spei_gateway.php:66
filterwoocommerce_payment_gatewaysconekta_spei_gateway.php:399
actionwoocommerce_order_status_processing_to_completedconekta_spei_gateway.php:400
Maintenance & Trust

Conekta Payment Gateway Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 10, 2026
PHP min version7.4
Downloads100K

Community Trust

Rating70/100
Number of ratings6
Active installs2K
Developer Profile

Conekta Payment Gateway Developer Profile

Conekta Group

1 plugin · 2K total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
11 days
View full developer profile
Detection Fingerprints

How We Detect Conekta Payment Gateway

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/conekta-payment-gateway/resources/js/frontend/classic-translations.js/wp-content/plugins/conekta-payment-gateway/resources/js/frontend/classic-checkout.js
Script Paths
https://pay.conekta.com/v1.0/js/conekta-checkout.min.js

HTML / DOM Fingerprints

JS Globals
conekta_settings
FAQ

Frequently Asked Questions about Conekta Payment Gateway