Conekta Payment Gateway <= 6.0.0 - Unauthenticated Information Exposure
Description
The Conekta Payment Gateway plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=6.0.0What Changed in the Fix
Changes introduced in v6.0.1
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-49066 (Conekta Payment Gateway) ## 1. Vulnerability Summary The Conekta Payment Gateway plugin (<= 6.0.0) is vulnerable to **Unauthenticated Information Exposure**. The vulnerability manifests in two primary ways: 1. **Secret API Key Exposure**: The plugin's …
Show full research plan
Exploitation Research Plan: CVE-2026-49066 (Conekta Payment Gateway)
1. Vulnerability Summary
The Conekta Payment Gateway plugin (<= 6.0.0) is vulnerable to Unauthenticated Information Exposure. The vulnerability manifests in two primary ways:
- Secret API Key Exposure: The plugin's WooCommerce Blocks integration (specifically for Bank Transfer and Cards) incorrectly localizes the "Secret API Key" (often stored as
api_keyorcards_api_key) to the frontend HTML, making it accessible to any unauthenticated visitor on the checkout page. - PII Exposure via REST/AJAX: The new
checkout-requestendpoint (introduced in 6.0.0) processes cart and customer data. If improperly restricted, it allows unauthenticated users to trigger the creation/retrieval of Conekta orders, which contain sensitive customer PII (customer_info) and cart details in the JSON response.
2. Attack Vector Analysis
- Endpoints:
GET /checkout/(Classic or Blocks checkout page)POST /wp-admin/admin-ajax.php?action=conekta_checkout_requestPOST /wp-json/conekta/v1/checkout-request
- Authentication: Unauthenticated (None).
- Preconditions:
- Conekta Card or Bank Transfer gateway must be enabled.
- For PII exposure, an item must be in the guest's cart.
3. Code Flow
Case A: Secret Key Exposure (Blocks)
- WooCommerce initializes payment blocks.
WC_Gateway_Conekta_Bank_Transfer_Blocks_Support::get_payment_method_data()is called.- The method executes:
'api_key' => $this->get_setting( 'api_key' ). - In
WC_Gateway_Conekta_Blocks_Support, it executes:'api_key' => $this->get_setting('cards_public_api_key') ?: $this->get_setting('cards_api_key'). - If
api_keyorcards_api_keycontains the Secret Key (prefixed withkey_), it is passed to the frontend viawp_add_inline_script(as part of thewcSettingsglobal).
Case B: PII Exposure (AJAX/REST)
- The user (unauthenticated) sends a POST request to the
conekta_checkout_requestaction. - The server verifies the
nonceprovided in the request body. - The server retrieves the current session's cart:
WC()->cart. - The server retrieves/creates a Conekta order via the Conekta API.
- The full Conekta Order object (containing
customer_info, name, email, and amounts) is returned in the JSON response to the unauthenticated user.
4. Nonce Acquisition Strategy
The conekta-checkout-request nonce is required for the AJAX/REST exploitation. It is localized in both Classic and Blocks checkout.
- Preparation: Create a page containing the WooCommerce Checkout block (or use the default
/checkout). - Navigation: Use the browser tool to navigate to the checkout page.
- Extraction:
- Classic:
browser_eval("window.conekta_settings?.nonce") - Blocks: The nonce is stored within the WooCommerce
wcSettingsorwc-conekta-payments-blocksdata. Use:browser_eval("wp.data.select('wc/store/payment-methods').getPaymentMethodData('conekta')?.nonce")
- Classic:
5. Exploitation Strategy
Step 1: Configuration Extraction (Secret Key)
- Request:
GET /checkout/ - Action: Inspect the HTML source or use
browser_evalto check localized objects. - Payload (JS):
// Check Bank Transfer block data console.log(window.wcSettings?.paymentMethodData?.conekta_bank_transfer?.api_key); // Check Cards block data console.log(window.wcSettings?.paymentMethodData?.conekta?.api_key);
Step 2: Sensitive Data Extraction (PII)
- Prerequisite: Add any product to the cart:
POST /?wc-ajax=add_to_cartwithproduct_id=.... - Request:
POST /wp-admin/admin-ajax.php?action=conekta_checkout_request HTTP/1.1 Content-Type: application/x-www-form-urlencoded nonce=[EXTRACTED_NONCE] - Expected Response: A JSON object containing the
conekta_order_idand potentially thecustomer_infoused to generate the pre-created order.
6. Test Data Setup
- Plugin Configuration:
- Set
cards_api_key(Secret) tokey_secret_test_123. - Set
cards_public_api_keytokey_public_test_123. - Enable "Conekta Card" and "Conekta Bank Transfer" in WooCommerce settings.
- Set
- Content: Ensure at least one published product exists.
- Customer Data: Set up the guest session with some dummy info (e.g., by filling the checkout form partially or using
WC()->customer->set_billing_email(...)via CLI).
7. Expected Results
- Secret Key Leak: The string
key_secret_test_123appears in the page source inside a<script>tag (usually underwcSettings). - PII Leak: The AJAX response returns a JSON structure like:
{ "conekta_order_id": "ord_2t...", "amount": 15000, "customer_info": { "name": "John Doe", "email": "john@example.com" } }
8. Verification Steps
- Verify Configuration: Use WP-CLI to confirm the stored settings match the leaked values:
wp option get woocommerce_conekta_settings - Check Logs: Verify that no authorization check was performed by looking at
conekta_plugin.phpfor the absence ofcurrent_user_can()in theconekta_checkout_requesthandler.
9. Alternative Approaches
- REST Route: If the AJAX endpoint is blocked, target
POST /wp-json/conekta/v1/checkout-requestwith the samenoncein the JSON body. - Localized Transalations: Check
resources/js/frontend/classic-translations.js(mentioned inconekta_checkout.php) to see if any other sensitive metadata was localized there usingfilemtimeor other identifiers.
Summary
The Conekta Payment Gateway plugin for WordPress exposes sensitive API keys to unauthenticated visitors via its WooCommerce Blocks integration. In versions up to 6.0.0, the plugin incorrectly localizes the merchant's secret API keys to the frontend HTML, allowing any visitor to extract credentials by viewing the checkout page's source code.
Vulnerable Code
// includes/blocks/class-wc-conekta-bank_transfer-payments-blocks.php lines 74-84 public function get_payment_method_data(): array { return [ 'is_enabled' => filter_var($this->get_setting( 'enabled' ),FILTER_VALIDATE_BOOLEAN), 'title' => $this->get_setting( 'title' ), 'description' => $this->get_setting( 'description' ), 'supports' => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ), 'name' => $this->name, 'api_key' => $this->get_setting( 'api_key' ), ]; } --- // includes/blocks/class-wc-conekta-payments-blocks.php lines 74-87 public function get_payment_method_data(): array { return [ 'is_enabled' => filter_var($this->get_setting( 'enabled' ),FILTER_VALIDATE_BOOLEAN), 'title' => $this->get_setting( 'title' ), 'description' => $this->get_setting( 'description' ), 'supports' => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ), 'name' => $this->name, 'api_key' => $this->get_setting('cards_public_api_key') ?: $this->get_setting('cards_api_key'), 'locale' => $this->gateway->get_user_locale(), 'rest_url' => esc_url_raw(rest_url('conekta/v1/')), 'checkout_request_url' => \WC_AJAX::get_endpoint('conekta_checkout_request'), 'nonce' => wp_create_nonce('conekta-checkout-request'), ]; }
Security Fix
@@ -80,7 +80,6 @@ 'description' => $this->get_setting( 'description' ), 'supports' => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ), 'name' => $this->name, - 'api_key' => $this->get_setting( 'api_key' ), ]; } } @@ -80,7 +80,7 @@ 'description' => $this->get_setting( 'description' ), 'supports' => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ), 'name' => $this->name, - 'api_key' => $this->get_setting('cards_public_api_key') ?: $this->get_setting('cards_api_key'), + 'api_key' => $this->get_setting('cards_public_api_key'), 'locale' => $this->gateway->get_user_locale(), 'rest_url' => esc_url_raw(rest_url('conekta/v1/')), 'checkout_request_url' => \WC_AJAX::get_endpoint('conekta_checkout_request'),
Exploit Outline
An unauthenticated attacker can exploit this vulnerability by navigating to the target site's WooCommerce checkout page when using payment blocks. The attacker inspects the page's HTML source or evaluates global JavaScript variables (such as 'wcSettings' or payment method data localized for the blocks). Within the configuration for 'conekta' or 'conekta_bank_transfer', the 'api_key' property will contain the merchant's secret API key (prefixed with 'key_') if it was saved in the wrong setting field or if the plugin correctly fell back to it in the vulnerable version.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.