CVE-2026-49066

Conekta Payment Gateway <= 6.0.0 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
6.0.1
Patched in
11d
Time to patch

Description

The Conekta Payment Gateway plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=6.0.0
PublishedJune 8, 2026
Last updatedJune 18, 2026

What Changed in the Fix

Changes introduced in v6.0.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-49066 (Conekta Payment Gateway) ## 1. Vulnerability Summary The Conekta Payment Gateway plugin (<= 6.0.0) is vulnerable to **Unauthenticated Information Exposure**. The vulnerability manifests in two primary ways: 1. **Secret API Key Exposure**: The plugin's …

Show full research plan

Exploitation Research Plan: CVE-2026-49066 (Conekta Payment Gateway)

1. Vulnerability Summary

The Conekta Payment Gateway plugin (<= 6.0.0) is vulnerable to Unauthenticated Information Exposure. The vulnerability manifests in two primary ways:

  1. Secret API Key Exposure: The plugin's WooCommerce Blocks integration (specifically for Bank Transfer and Cards) incorrectly localizes the "Secret API Key" (often stored as api_key or cards_api_key) to the frontend HTML, making it accessible to any unauthenticated visitor on the checkout page.
  2. PII Exposure via REST/AJAX: The new checkout-request endpoint (introduced in 6.0.0) processes cart and customer data. If improperly restricted, it allows unauthenticated users to trigger the creation/retrieval of Conekta orders, which contain sensitive customer PII (customer_info) and cart details in the JSON response.

2. Attack Vector Analysis

  • Endpoints:
    • GET /checkout/ (Classic or Blocks checkout page)
    • POST /wp-admin/admin-ajax.php?action=conekta_checkout_request
    • POST /wp-json/conekta/v1/checkout-request
  • Authentication: Unauthenticated (None).
  • Preconditions:
    • Conekta Card or Bank Transfer gateway must be enabled.
    • For PII exposure, an item must be in the guest's cart.

3. Code Flow

Case A: Secret Key Exposure (Blocks)

  1. WooCommerce initializes payment blocks.
  2. WC_Gateway_Conekta_Bank_Transfer_Blocks_Support::get_payment_method_data() is called.
  3. The method executes: 'api_key' => $this->get_setting( 'api_key' ).
  4. In WC_Gateway_Conekta_Blocks_Support, it executes: 'api_key' => $this->get_setting('cards_public_api_key') ?: $this->get_setting('cards_api_key').
  5. If api_key or cards_api_key contains the Secret Key (prefixed with key_), it is passed to the frontend via wp_add_inline_script (as part of the wcSettings global).

Case B: PII Exposure (AJAX/REST)

  1. The user (unauthenticated) sends a POST request to the conekta_checkout_request action.
  2. The server verifies the nonce provided in the request body.
  3. The server retrieves the current session's cart: WC()->cart.
  4. The server retrieves/creates a Conekta order via the Conekta API.
  5. The full Conekta Order object (containing customer_info, name, email, and amounts) is returned in the JSON response to the unauthenticated user.

4. Nonce Acquisition Strategy

The conekta-checkout-request nonce is required for the AJAX/REST exploitation. It is localized in both Classic and Blocks checkout.

  1. Preparation: Create a page containing the WooCommerce Checkout block (or use the default /checkout).
  2. Navigation: Use the browser tool to navigate to the checkout page.
  3. Extraction:
    • Classic: browser_eval("window.conekta_settings?.nonce")
    • Blocks: The nonce is stored within the WooCommerce wcSettings or wc-conekta-payments-blocks data. Use:
      browser_eval("wp.data.select('wc/store/payment-methods').getPaymentMethodData('conekta')?.nonce")

5. Exploitation Strategy

Step 1: Configuration Extraction (Secret Key)

  1. Request: GET /checkout/
  2. Action: Inspect the HTML source or use browser_eval to check localized objects.
  3. Payload (JS):
    // Check Bank Transfer block data
    console.log(window.wcSettings?.paymentMethodData?.conekta_bank_transfer?.api_key);
    // Check Cards block data
    console.log(window.wcSettings?.paymentMethodData?.conekta?.api_key);
    

Step 2: Sensitive Data Extraction (PII)

  1. Prerequisite: Add any product to the cart: POST /?wc-ajax=add_to_cart with product_id=....
  2. Request:
    POST /wp-admin/admin-ajax.php?action=conekta_checkout_request HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    
    nonce=[EXTRACTED_NONCE]
    
  3. Expected Response: A JSON object containing the conekta_order_id and potentially the customer_info used to generate the pre-created order.

6. Test Data Setup

  1. Plugin Configuration:
    • Set cards_api_key (Secret) to key_secret_test_123.
    • Set cards_public_api_key to key_public_test_123.
    • Enable "Conekta Card" and "Conekta Bank Transfer" in WooCommerce settings.
  2. Content: Ensure at least one published product exists.
  3. Customer Data: Set up the guest session with some dummy info (e.g., by filling the checkout form partially or using WC()->customer->set_billing_email(...) via CLI).

7. Expected Results

  • Secret Key Leak: The string key_secret_test_123 appears in the page source inside a <script> tag (usually under wcSettings).
  • PII Leak: The AJAX response returns a JSON structure like:
    {
      "conekta_order_id": "ord_2t...",
      "amount": 15000,
      "customer_info": {
        "name": "John Doe",
        "email": "john@example.com"
      }
    }
    

8. Verification Steps

  1. Verify Configuration: Use WP-CLI to confirm the stored settings match the leaked values:
    wp option get woocommerce_conekta_settings
  2. Check Logs: Verify that no authorization check was performed by looking at conekta_plugin.php for the absence of current_user_can() in the conekta_checkout_request handler.

9. Alternative Approaches

  • REST Route: If the AJAX endpoint is blocked, target POST /wp-json/conekta/v1/checkout-request with the same nonce in the JSON body.
  • Localized Transalations: Check resources/js/frontend/classic-translations.js (mentioned in conekta_checkout.php) to see if any other sensitive metadata was localized there using filemtime or other identifiers.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Conekta Payment Gateway plugin for WordPress exposes sensitive API keys to unauthenticated visitors via its WooCommerce Blocks integration. In versions up to 6.0.0, the plugin incorrectly localizes the merchant's secret API keys to the frontend HTML, allowing any visitor to extract credentials by viewing the checkout page's source code.

Vulnerable Code

// includes/blocks/class-wc-conekta-bank_transfer-payments-blocks.php lines 74-84
    public function get_payment_method_data(): array
    {
        return [
            'is_enabled'                => filter_var($this->get_setting( 'enabled' ),FILTER_VALIDATE_BOOLEAN),
            'title'       		        => $this->get_setting( 'title' ),
            'description' 		        => $this->get_setting( 'description' ),
            'supports'    			    => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ),
            'name'                      => $this->name,
			'api_key'                   => $this->get_setting( 'api_key' ),
        ];
    }

---

// includes/blocks/class-wc-conekta-payments-blocks.php lines 74-87
    public function get_payment_method_data(): array
    {
        return [
            'is_enabled'                     => filter_var($this->get_setting( 'enabled' ),FILTER_VALIDATE_BOOLEAN),
            'title'       		             => $this->get_setting( 'title' ),
            'description' 		             => $this->get_setting( 'description' ),
            'supports'    			         => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ),
            'name'                           => $this->name,
			'api_key' 						 => $this->get_setting('cards_public_api_key') ?: $this->get_setting('cards_api_key'),
            'locale' 						 => $this->gateway->get_user_locale(),
            'rest_url'                       => esc_url_raw(rest_url('conekta/v1/')),
            'checkout_request_url'           => \WC_AJAX::get_endpoint('conekta_checkout_request'),
            'nonce'                          => wp_create_nonce('conekta-checkout-request'),
        ];
    }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/conekta-payment-gateway/6.0.0/includes/blocks/class-wc-conekta-bank_transfer-payments-blocks.php /home/deploy/wp-safety.org/data/plugin-versions/conekta-payment-gateway/6.0.1/includes/blocks/class-wc-conekta-bank_transfer-payments-blocks.php
--- /home/deploy/wp-safety.org/data/plugin-versions/conekta-payment-gateway/6.0.0/includes/blocks/class-wc-conekta-bank_transfer-payments-blocks.php	2025-05-12 16:13:30.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/conekta-payment-gateway/6.0.1/includes/blocks/class-wc-conekta-bank_transfer-payments-blocks.php	2026-06-04 21:16:00.000000000 +0000
@@ -80,7 +80,6 @@
             'description' 		        => $this->get_setting( 'description' ),
             'supports'    			    => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ),
             'name'                      => $this->name,
-			'api_key'                   => $this->get_setting( 'api_key' ),
         ];
     }
 }
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/conekta-payment-gateway/6.0.0/includes/blocks/class-wc-conekta-payments-blocks.php /home/deploy/wp-safety.org/data/plugin-versions/conekta-payment-gateway/6.0.1/includes/blocks/class-wc-conekta-payments-blocks.php
--- /home/deploy/wp-safety.org/data/plugin-versions/conekta-payment-gateway/6.0.0/includes/blocks/class-wc-conekta-payments-blocks.php	2026-06-03 20:22:44.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/conekta-payment-gateway/6.0.1/includes/blocks/class-wc-conekta-payments-blocks.php	2026-06-04 21:16:00.000000000 +0000
@@ -80,7 +80,7 @@
             'description' 		             => $this->get_setting( 'description' ),
             'supports'    			         => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ),
             'name'                           => $this->name,
-			'api_key' 						 => $this->get_setting('cards_public_api_key') ?: $this->get_setting('cards_api_key'),
+			'api_key' 						 => $this->get_setting('cards_public_api_key'),
             'locale' 						 => $this->gateway->get_user_locale(),
             'rest_url'                       => esc_url_raw(rest_url('conekta/v1/')),
             'checkout_request_url'           => \WC_AJAX::get_endpoint('conekta_checkout_request'),

Exploit Outline

An unauthenticated attacker can exploit this vulnerability by navigating to the target site's WooCommerce checkout page when using payment blocks. The attacker inspects the page's HTML source or evaluates global JavaScript variables (such as 'wcSettings' or payment method data localized for the blocks). Within the configuration for 'conekta' or 'conekta_bank_transfer', the 'api_key' property will contain the merchant's secret API key (prefixed with 'key_') if it was saved in the wrong setting field or if the plugin correctly fell back to it in the vulnerable version.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.