[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9C9DeOiv0nYzqE3dNd-yVqRYUyZQZ-I7rZ1nMgHzQZk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-49066","conekta-payment-gateway-unauthenticated-information-exposure","Conekta Payment Gateway \u003C= 6.0.0 - Unauthenticated Information Exposure","The Conekta Payment Gateway plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","conekta-payment-gateway",null,"\u003C=6.0.0","6.0.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-08 00:00:00","2026-06-18 13:25:14",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Feb79c684-1495-4bc7-bc80-a62de67d097b?source=api-prod",11,[22,23,24,25,26,27,28,29],"CHANGELOG","CHANGELOG.md","README.md","conekta_checkout.php","conekta_plugin.php","includes\u002Fblocks\u002Fclass-wc-conekta-bank_transfer-payments-blocks.php","includes\u002Fblocks\u002Fclass-wc-conekta-payments-blocks.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-49066 (Conekta Payment Gateway)\n\n## 1. Vulnerability Summary\nThe Conekta Payment Gateway plugin (\u003C= 6.0.0) is vulnerable to **Unauthenticated Information Exposure**. The vulnerability manifests in two primary ways:\n1.  **Secret API Key Exposure**: The plugin's WooCommerce Blocks integration (specifically for Bank Transfer and Cards) incorrectly localizes the \"Secret API Key\" (often stored as `api_key` or `cards_api_key`) to the frontend HTML, making it accessible to any unauthenticated visitor on the checkout page.\n2.  **PII Exposure via REST\u002FAJAX**: The new `checkout-request` endpoint (introduced in 6.0.0) processes cart and customer data. If improperly restricted, it allows unauthenticated users to trigger the creation\u002Fretrieval of Conekta orders, which contain sensitive customer PII (`customer_info`) and cart details in the JSON response.\n\n## 2. Attack Vector Analysis\n-   **Endpoints**: \n    -   `GET \u002Fcheckout\u002F` (Classic or Blocks checkout page)\n    -   `POST \u002Fwp-admin\u002Fadmin-ajax.php?action=conekta_checkout_request`\n    -   `POST \u002Fwp-json\u002Fconekta\u002Fv1\u002Fcheckout-request`\n-   **Authentication**: Unauthenticated (None).\n-   **Preconditions**: \n    -   Conekta Card or Bank Transfer gateway must be enabled.\n    -   For PII exposure, an item must be in the guest's cart.\n\n## 3. Code Flow\n### Case A: Secret Key Exposure (Blocks)\n1.  WooCommerce initializes payment blocks.\n2.  `WC_Gateway_Conekta_Bank_Transfer_Blocks_Support::get_payment_method_data()` is called.\n3.  The method executes: `'api_key' => $this->get_setting( 'api_key' )`.\n4.  In `WC_Gateway_Conekta_Blocks_Support`, it executes: `'api_key' => $this->get_setting('cards_public_api_key') ?: $this->get_setting('cards_api_key')`.\n5.  If `api_key` or `cards_api_key` contains the Secret Key (prefixed with `key_`), it is passed to the frontend via `wp_add_inline_script` (as part of the `wcSettings` global).\n\n### Case B: PII Exposure (AJAX\u002FREST)\n1.  The user (unauthenticated) sends a POST request to the `conekta_checkout_request` action.\n2.  The server verifies the `nonce` provided in the request body.\n3.  The server retrieves the current session's cart: `WC()->cart`.\n4.  The server retrieves\u002Fcreates a Conekta order via the Conekta API.\n5.  The full Conekta Order object (containing `customer_info`, name, email, and amounts) is returned in the JSON response to the unauthenticated user.\n\n## 4. Nonce Acquisition Strategy\nThe `conekta-checkout-request` nonce is required for the AJAX\u002FREST exploitation. It is localized in both Classic and Blocks checkout.\n\n1.  **Preparation**: Create a page containing the WooCommerce Checkout block (or use the default `\u002Fcheckout`).\n2.  **Navigation**: Use the browser tool to navigate to the checkout page.\n3.  **Extraction**:\n    -   **Classic**: `browser_eval(\"window.conekta_settings?.nonce\")`\n    -   **Blocks**: The nonce is stored within the WooCommerce `wcSettings` or `wc-conekta-payments-blocks` data. Use:\n        `browser_eval(\"wp.data.select('wc\u002Fstore\u002Fpayment-methods').getPaymentMethodData('conekta')?.nonce\")`\n\n## 5. Exploitation Strategy\n\n### Step 1: Configuration Extraction (Secret Key)\n1.  **Request**: `GET \u002Fcheckout\u002F`\n2.  **Action**: Inspect the HTML source or use `browser_eval` to check localized objects.\n3.  **Payload (JS)**:\n    ```javascript\n    \u002F\u002F Check Bank Transfer block data\n    console.log(window.wcSettings?.paymentMethodData?.conekta_bank_transfer?.api_key);\n    \u002F\u002F Check Cards block data\n    console.log(window.wcSettings?.paymentMethodData?.conekta?.api_key);\n    ```\n\n### Step 2: Sensitive Data Extraction (PII)\n1.  **Prerequisite**: Add any product to the cart: `POST \u002F?wc-ajax=add_to_cart` with `product_id=...`.\n2.  **Request**:\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php?action=conekta_checkout_request HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    nonce=[EXTRACTED_NONCE]\n    ```\n3.  **Expected Response**: A JSON object containing the `conekta_order_id` and potentially the `customer_info` used to generate the pre-created order.\n\n## 6. Test Data Setup\n1.  **Plugin Configuration**: \n    -   Set `cards_api_key` (Secret) to `key_secret_test_123`.\n    -   Set `cards_public_api_key` to `key_public_test_123`.\n    -   Enable \"Conekta Card\" and \"Conekta Bank Transfer\" in WooCommerce settings.\n2.  **Content**: Ensure at least one published product exists.\n3.  **Customer Data**: Set up the guest session with some dummy info (e.g., by filling the checkout form partially or using `WC()->customer->set_billing_email(...)` via CLI).\n\n## 7. Expected Results\n-   **Secret Key Leak**: The string `key_secret_test_123` appears in the page source inside a `\u003Cscript>` tag (usually under `wcSettings`).\n-   **PII Leak**: The AJAX response returns a JSON structure like:\n    ```json\n    {\n      \"conekta_order_id\": \"ord_2t...\",\n      \"amount\": 15000,\n      \"customer_info\": {\n        \"name\": \"John Doe\",\n        \"email\": \"john@example.com\"\n      }\n    }\n    ```\n\n## 8. Verification Steps\n1.  **Verify Configuration**: Use WP-CLI to confirm the stored settings match the leaked values:\n    `wp option get woocommerce_conekta_settings`\n2.  **Check Logs**: Verify that no authorization check was performed by looking at `conekta_plugin.php` for the absence of `current_user_can()` in the `conekta_checkout_request` handler.\n\n## 9. Alternative Approaches\n-   **REST Route**: If the AJAX endpoint is blocked, target `POST \u002Fwp-json\u002Fconekta\u002Fv1\u002Fcheckout-request` with the same `nonce` in the JSON body.\n-   **Localized Transalations**: Check `resources\u002Fjs\u002Ffrontend\u002Fclassic-translations.js` (mentioned in `conekta_checkout.php`) to see if any other sensitive metadata was localized there using `filemtime` or other identifiers.","The Conekta Payment Gateway plugin for WordPress exposes sensitive API keys to unauthenticated visitors via its WooCommerce Blocks integration. In versions up to 6.0.0, the plugin incorrectly localizes the merchant's secret API keys to the frontend HTML, allowing any visitor to extract credentials by viewing the checkout page's source code.","\u002F\u002F includes\u002Fblocks\u002Fclass-wc-conekta-bank_transfer-payments-blocks.php lines 74-84\n    public function get_payment_method_data(): array\n    {\n        return [\n            'is_enabled'                => filter_var($this->get_setting( 'enabled' ),FILTER_VALIDATE_BOOLEAN),\n            'title'       \t\t        => $this->get_setting( 'title' ),\n            'description' \t\t        => $this->get_setting( 'description' ),\n            'supports'    \t\t\t    => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ),\n            'name'                      => $this->name,\n\t\t\t'api_key'                   => $this->get_setting( 'api_key' ),\n        ];\n    }\n\n---\n\n\u002F\u002F includes\u002Fblocks\u002Fclass-wc-conekta-payments-blocks.php lines 74-87\n    public function get_payment_method_data(): array\n    {\n        return [\n            'is_enabled'                     => filter_var($this->get_setting( 'enabled' ),FILTER_VALIDATE_BOOLEAN),\n            'title'       \t\t             => $this->get_setting( 'title' ),\n            'description' \t\t             => $this->get_setting( 'description' ),\n            'supports'    \t\t\t         => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ),\n            'name'                           => $this->name,\n\t\t\t'api_key' \t\t\t\t\t\t => $this->get_setting('cards_public_api_key') ?: $this->get_setting('cards_api_key'),\n            'locale' \t\t\t\t\t\t => $this->gateway->get_user_locale(),\n            'rest_url'                       => esc_url_raw(rest_url('conekta\u002Fv1\u002F')),\n            'checkout_request_url'           => \\WC_AJAX::get_endpoint('conekta_checkout_request'),\n            'nonce'                          => wp_create_nonce('conekta-checkout-request'),\n        ];\n    }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fconekta-payment-gateway\u002F6.0.0\u002Fincludes\u002Fblocks\u002Fclass-wc-conekta-bank_transfer-payments-blocks.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fconekta-payment-gateway\u002F6.0.1\u002Fincludes\u002Fblocks\u002Fclass-wc-conekta-bank_transfer-payments-blocks.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fconekta-payment-gateway\u002F6.0.0\u002Fincludes\u002Fblocks\u002Fclass-wc-conekta-bank_transfer-payments-blocks.php\t2025-05-12 16:13:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fconekta-payment-gateway\u002F6.0.1\u002Fincludes\u002Fblocks\u002Fclass-wc-conekta-bank_transfer-payments-blocks.php\t2026-06-04 21:16:00.000000000 +0000\n@@ -80,7 +80,6 @@\n             'description' \t\t        => $this->get_setting( 'description' ),\n             'supports'    \t\t\t    => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ),\n             'name'                      => $this->name,\n-\t\t\t'api_key'                   => $this->get_setting( 'api_key' ),\n         ];\n     }\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fconekta-payment-gateway\u002F6.0.0\u002Fincludes\u002Fblocks\u002Fclass-wc-conekta-payments-blocks.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fconekta-payment-gateway\u002F6.0.1\u002Fincludes\u002Fblocks\u002Fclass-wc-conekta-payments-blocks.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fconekta-payment-gateway\u002F6.0.0\u002Fincludes\u002Fblocks\u002Fclass-wc-conekta-payments-blocks.php\t2026-06-03 20:22:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fconekta-payment-gateway\u002F6.0.1\u002Fincludes\u002Fblocks\u002Fclass-wc-conekta-payments-blocks.php\t2026-06-04 21:16:00.000000000 +0000\n@@ -80,7 +80,7 @@\n             'description' \t\t             => $this->get_setting( 'description' ),\n             'supports'    \t\t\t         => array_filter( $this->gateway->supports, [ $this->gateway, 'supports' ] ),\n             'name'                           => $this->name,\n-\t\t\t'api_key' \t\t\t\t\t\t => $this->get_setting('cards_public_api_key') ?: $this->get_setting('cards_api_key'),\n+\t\t\t'api_key' \t\t\t\t\t\t => $this->get_setting('cards_public_api_key'),\n             'locale' \t\t\t\t\t\t => $this->gateway->get_user_locale(),\n             'rest_url'                       => esc_url_raw(rest_url('conekta\u002Fv1\u002F')),\n             'checkout_request_url'           => \\WC_AJAX::get_endpoint('conekta_checkout_request'),","An unauthenticated attacker can exploit this vulnerability by navigating to the target site's WooCommerce checkout page when using payment blocks. The attacker inspects the page's HTML source or evaluates global JavaScript variables (such as 'wcSettings' or payment method data localized for the blocks). Within the configuration for 'conekta' or 'conekta_bank_transfer', the 'api_key' property will contain the merchant's secret API key (prefixed with 'key_') if it was saved in the wrong setting field or if the plugin correctly fell back to it in the vulnerable version.","gemini-3-flash-preview","2026-06-26 02:53:44","2026-06-26 02:55:07",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.0.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fconekta-payment-gateway\u002Ftags\u002F6.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fconekta-payment-gateway.6.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fconekta-payment-gateway\u002Ftags\u002F6.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fconekta-payment-gateway.6.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fconekta-payment-gateway\u002Ftags"]