Slek Gateway for WooCommerce <= 1.0 - Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields
Description
The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb_handle_slek_payment_redirect() function placing the merchant's slek_key and slek_secret API credentials directly into a client-side HTML form, and additionally embedding the slek_secret as a plaintext GET parameter in the IPN callback URL. This makes it possible for unauthenticated attackers who can place an order on the affected store to extract the merchant's API credentials by viewing the HTML source or using browser DevTools on the WooCommerce order-pay page before the JavaScript auto-submit fires.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.0# Exploitation Research Plan: CVE-2026-7626 (Slek Gateway for WooCommerce) ## 1. Vulnerability Summary The **Slek Gateway for WooCommerce** plugin (versions <= 1.0) suffers from a medium-severity **Information Exposure** vulnerability. The vulnerability resides in the `wsb_handle_slek_payment_redir…
Show full research plan
Exploitation Research Plan: CVE-2026-7626 (Slek Gateway for WooCommerce)
1. Vulnerability Summary
The Slek Gateway for WooCommerce plugin (versions <= 1.0) suffers from a medium-severity Information Exposure vulnerability. The vulnerability resides in the wsb_handle_slek_payment_redirect() function. When a user proceeds to the payment stage of a WooCommerce order using the Slek gateway, the plugin generates an intermediate "redirect" page.
The flaw exists because the plugin directly embeds sensitive merchant API credentials—slek_key and slek_secret—into the HTML as hidden form fields. Furthermore, the slek_secret is appended as a plaintext GET parameter to the IPN (Instant Payment Notification) callback URL within that same page. An attacker (or even a malicious script on the client side) can extract these credentials by inspecting the page source before the JavaScript-based auto-submission of the payment form occurs.
2. Attack Vector Analysis
- Endpoint: WooCommerce "Order Pay" page or a custom redirect handler. (Likely
/checkout/order-pay/[ORDER_ID]/?key=[ORDER_KEY]). - Vulnerable Function:
wsb_handle_slek_payment_redirect()(inferred to be triggered during the payment processing phase). - Authentication: Unauthenticated (if guest checkout is enabled) or low-privileged "Customer" role.
- Preconditions:
- The Slek Gateway must be enabled and configured with API credentials.
- An order must be placed using Slek as the payment method.
3. Code Flow (Inferred)
- Checkout Initiation: User selects "Slek" at checkout and clicks "Place Order".
- Payment Processing: WooCommerce calls the gateway's
process_payment($order_id)method. - Redirect Generation: The gateway returns a redirect URL to the "order-pay" page.
- Template Execution: On the order-pay page, the plugin triggers
wsb_handle_slek_payment_redirect(). - Information Leak:
- The function retrieves
slek_keyandslek_secretusingget_option()or the gateway's settings. - It renders an HTML form destined for the Slek payment API.
- It populates
<input type="hidden" name="slek_key" value="...">and<input type="hidden" name="slek_secret" value="...">. - It constructs a callback URL:
https://site.com/?slek_callback=1&secret=[SLEK_SECRET].
- The function retrieves
- Client Exposure: The HTML is sent to the browser. While JavaScript typically submits this form immediately, the raw HTTP response contains the secrets.
4. Nonce Acquisition Strategy
This vulnerability does not require a WordPress nonce to trigger the exposure, as the exposure occurs during the standard WooCommerce checkout flow which is designed for public access. However, to reach the vulnerable page, a valid WooCommerce order must be created.
Strategy to reach the exposure point:
- Identify Checkout Nonce: WooCommerce requires a
woocommerce-process-checkout-nonceto place an order via AJAX/POST. - Navigate to Checkout: Use
browser_navigateto/checkout/. - Extract Nonce: Use
browser_evalto extract the checkout nonce:browser_eval("document.getElementById('woocommerce-process-checkout-nonce')?.value"). - Place Order: Submit the checkout form or use
http_requestto POST to/?wc-ajax=checkout.
5. Exploitation Strategy
- Setup Phase:
- Configure the Slek Gateway with placeholder credentials (e.g.,
TEST_KEY_12345andTEST_SECRET_67890). - Ensure a product exists in the WooCommerce store.
- Configure the Slek Gateway with placeholder credentials (e.g.,
- Order Phase:
- Add a product to the cart.
- Navigate to the checkout page.
- Select "Slek" as the payment method.
- Place the order. This will yield an "Order Pay" URL or a redirect to the Slek handler.
- Capture Phase:
- Navigate to the resulting
order-payURL using thebrowser_navigatetool. - Crucial Step: Since the page auto-submits, use
browser_get_sourceimmediately upon load, or ideally, intercept the network request. - Search the HTML source for:
type="hidden"inputs with names related toslek_keyorslek_secret.- URL strings containing the callback/IPN parameters.
- Navigate to the resulting
- Extraction: Extract the plaintext credentials from the
valueattributes and the URL parameter.
6. Test Data Setup
- Plugin Configuration:
# Enable Slek Gateway (slug inferred) wp option update woocommerce_slek_settings '{"enabled":"yes","slek_key":"EXPOSED_KEY_VAL","slek_secret":"EXPOSED_SECRET_VAL"}' --format=json - Product Creation: Ensure at least one publishable product exists.
- Settings: Enable "Guest Checkout" in WooCommerce settings to simplify the attack (Account & Privacy -> Guest checkout).
7. Expected Results
- The HTTP response for the redirect page will contain:
<input type="hidden" name="slek_key" value="EXPOSED_KEY_VAL"><input type="hidden" name="slek_secret" value="EXPOSED_SECRET_VAL">- A URL string resembling
...&slek_secret=EXPOSED_SECRET_VAL...or...&secret=EXPOSED_SECRET_VAL....
- A successful exploit confirms that an unauthenticated user can retrieve the merchant's private API keys simply by placing a dummy order.
8. Verification Steps
- Compare Credentials: Use WP-CLI to verify the leaked credentials match the database:
wp option get woocommerce_slek_settings - Check IPN URL: Verify the IPN URL in the source contains the same secret found in the form fields.
9. Alternative Approaches
- Proxy/Intercept: If the browser auto-submits too quickly for
browser_get_source, use thehttp_requesttool to manually request theorder-payURL (which is a GET request). This allows reading the response body without executing the JavaScript that triggers the redirect. - Search for
wsb_handle_slek_payment_redirect: If the primary WooCommerce redirect path is modified, search the codebase for wherewsb_handle_slek_payment_redirectis hooked (e.g.,template_redirect,init, or a WooCommerce-specific hook likewoocommerce_receipt_slek).
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.