CVE-2026-7626

Slek Gateway for WooCommerce <= 1.0 - Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb_handle_slek_payment_redirect() function placing the merchant's slek_key and slek_secret API credentials directly into a client-side HTML form, and additionally embedding the slek_secret as a plaintext GET parameter in the IPN callback URL. This makes it possible for unauthenticated attackers who can place an order on the affected store to extract the merchant's API credentials by viewing the HTML source or using browser DevTools on the WooCommerce order-pay page before the JavaScript auto-submit fires.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0
PublishedMay 11, 2026
Last updatedMay 12, 2026
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-7626 (Slek Gateway for WooCommerce) ## 1. Vulnerability Summary The **Slek Gateway for WooCommerce** plugin (versions <= 1.0) suffers from a medium-severity **Information Exposure** vulnerability. The vulnerability resides in the `wsb_handle_slek_payment_redir…

Show full research plan

Exploitation Research Plan: CVE-2026-7626 (Slek Gateway for WooCommerce)

1. Vulnerability Summary

The Slek Gateway for WooCommerce plugin (versions <= 1.0) suffers from a medium-severity Information Exposure vulnerability. The vulnerability resides in the wsb_handle_slek_payment_redirect() function. When a user proceeds to the payment stage of a WooCommerce order using the Slek gateway, the plugin generates an intermediate "redirect" page.

The flaw exists because the plugin directly embeds sensitive merchant API credentials—slek_key and slek_secret—into the HTML as hidden form fields. Furthermore, the slek_secret is appended as a plaintext GET parameter to the IPN (Instant Payment Notification) callback URL within that same page. An attacker (or even a malicious script on the client side) can extract these credentials by inspecting the page source before the JavaScript-based auto-submission of the payment form occurs.

2. Attack Vector Analysis

  • Endpoint: WooCommerce "Order Pay" page or a custom redirect handler. (Likely /checkout/order-pay/[ORDER_ID]/?key=[ORDER_KEY]).
  • Vulnerable Function: wsb_handle_slek_payment_redirect() (inferred to be triggered during the payment processing phase).
  • Authentication: Unauthenticated (if guest checkout is enabled) or low-privileged "Customer" role.
  • Preconditions:
    • The Slek Gateway must be enabled and configured with API credentials.
    • An order must be placed using Slek as the payment method.

3. Code Flow (Inferred)

  1. Checkout Initiation: User selects "Slek" at checkout and clicks "Place Order".
  2. Payment Processing: WooCommerce calls the gateway's process_payment($order_id) method.
  3. Redirect Generation: The gateway returns a redirect URL to the "order-pay" page.
  4. Template Execution: On the order-pay page, the plugin triggers wsb_handle_slek_payment_redirect().
  5. Information Leak:
    • The function retrieves slek_key and slek_secret using get_option() or the gateway's settings.
    • It renders an HTML form destined for the Slek payment API.
    • It populates <input type="hidden" name="slek_key" value="..."> and <input type="hidden" name="slek_secret" value="...">.
    • It constructs a callback URL: https://site.com/?slek_callback=1&secret=[SLEK_SECRET].
  6. Client Exposure: The HTML is sent to the browser. While JavaScript typically submits this form immediately, the raw HTTP response contains the secrets.

4. Nonce Acquisition Strategy

This vulnerability does not require a WordPress nonce to trigger the exposure, as the exposure occurs during the standard WooCommerce checkout flow which is designed for public access. However, to reach the vulnerable page, a valid WooCommerce order must be created.

Strategy to reach the exposure point:

  1. Identify Checkout Nonce: WooCommerce requires a woocommerce-process-checkout-nonce to place an order via AJAX/POST.
  2. Navigate to Checkout: Use browser_navigate to /checkout/.
  3. Extract Nonce: Use browser_eval to extract the checkout nonce:
    browser_eval("document.getElementById('woocommerce-process-checkout-nonce')?.value").
  4. Place Order: Submit the checkout form or use http_request to POST to /?wc-ajax=checkout.

5. Exploitation Strategy

  1. Setup Phase:
    • Configure the Slek Gateway with placeholder credentials (e.g., TEST_KEY_12345 and TEST_SECRET_67890).
    • Ensure a product exists in the WooCommerce store.
  2. Order Phase:
    • Add a product to the cart.
    • Navigate to the checkout page.
    • Select "Slek" as the payment method.
    • Place the order. This will yield an "Order Pay" URL or a redirect to the Slek handler.
  3. Capture Phase:
    • Navigate to the resulting order-pay URL using the browser_navigate tool.
    • Crucial Step: Since the page auto-submits, use browser_get_source immediately upon load, or ideally, intercept the network request.
    • Search the HTML source for:
      • type="hidden" inputs with names related to slek_key or slek_secret.
      • URL strings containing the callback/IPN parameters.
  4. Extraction: Extract the plaintext credentials from the value attributes and the URL parameter.

6. Test Data Setup

  • Plugin Configuration:
    # Enable Slek Gateway (slug inferred)
    wp option update woocommerce_slek_settings '{"enabled":"yes","slek_key":"EXPOSED_KEY_VAL","slek_secret":"EXPOSED_SECRET_VAL"}' --format=json
    
  • Product Creation: Ensure at least one publishable product exists.
  • Settings: Enable "Guest Checkout" in WooCommerce settings to simplify the attack (Account & Privacy -> Guest checkout).

7. Expected Results

  • The HTTP response for the redirect page will contain:
    • <input type="hidden" name="slek_key" value="EXPOSED_KEY_VAL">
    • <input type="hidden" name="slek_secret" value="EXPOSED_SECRET_VAL">
    • A URL string resembling ...&slek_secret=EXPOSED_SECRET_VAL... or ...&secret=EXPOSED_SECRET_VAL....
  • A successful exploit confirms that an unauthenticated user can retrieve the merchant's private API keys simply by placing a dummy order.

8. Verification Steps

  1. Compare Credentials: Use WP-CLI to verify the leaked credentials match the database:
    wp option get woocommerce_slek_settings
    
  2. Check IPN URL: Verify the IPN URL in the source contains the same secret found in the form fields.

9. Alternative Approaches

  • Proxy/Intercept: If the browser auto-submits too quickly for browser_get_source, use the http_request tool to manually request the order-pay URL (which is a GET request). This allows reading the response body without executing the JavaScript that triggers the redirect.
  • Search for wsb_handle_slek_payment_redirect: If the primary WooCommerce redirect path is modified, search the codebase for where wsb_handle_slek_payment_redirect is hooked (e.g., template_redirect, init, or a WooCommerce-specific hook like woocommerce_receipt_slek).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.