CVE-2026-7626 Overview
The Slek Gateway for WooCommerce plugin for WordPress version 1.0 contains an information exposure vulnerability that leaks merchant API credentials to unauthenticated users. The wsb_handle_slek_payment_redirect() function writes the merchant's slek_key and slek_secret into a client-side HTML form and embeds the slek_secret as a plaintext GET parameter in the Instant Payment Notification (IPN) callback URL. Any unauthenticated attacker who can place an order on the affected store can extract these credentials by viewing page source or using browser developer tools on the WooCommerce order-pay page before the JavaScript auto-submit fires. The flaw is tracked as [CWE-200: Information Exposure].
Critical Impact
Unauthenticated attackers can harvest live merchant payment gateway credentials by initiating a checkout, enabling fraudulent API use against the merchant's Slek account.
Affected Products
- Slek Gateway for WooCommerce plugin for WordPress
- Version 1.0 (trunk and tagged release)
- WordPress sites running WooCommerce with the affected plugin
Discovery Timeline
- 2026-05-12 - CVE-2026-7626 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-7626
Vulnerability Analysis
The Slek Gateway for WooCommerce plugin handles payment redirection through the wsb_handle_slek_payment_redirect() function. This function constructs an HTML form on the WooCommerce order-pay page that submits payment details to the upstream Slek processor. Instead of keeping the merchant's API credentials server-side, the implementation injects both slek_key and slek_secret as visible form fields rendered in the response body.
A secondary issue compounds the exposure. The function builds the IPN callback URL using the slek_secret as a plaintext GET parameter. This URL is also written into the rendered HTML and is transmitted in clear text to any party observing the request, including browser history, proxy logs, and referrer headers.
The page relies on a JavaScript auto-submit handler to forward the form. Any attacker who disables JavaScript, intercepts the response, or simply views the page source before submission can read both secrets. The vulnerability falls under information exposure [CWE-200].
Root Cause
The root cause is improper separation of server-side secrets from client-rendered output. API credentials intended to authenticate the merchant to the Slek payment processor are placed directly in HTML returned to the buyer's browser. The IPN callback URL further duplicates the secret as a query string parameter rather than computing a signed token server-side.
Attack Vector
An unauthenticated attacker browses the affected WooCommerce store and adds any item to the cart. The attacker proceeds to checkout and selects the Slek payment method, which triggers the redirect handler. Before the auto-submit JavaScript executes, the attacker views page source or opens browser DevTools to read the slek_key, slek_secret, and the IPN URL containing the secret. The harvested credentials can then be reused to call the Slek API as the merchant or to forge IPN callbacks to the store.
The vulnerable code paths are documented in the WordPress Plugin Source Code at line 267 and line 307. Additional analysis is available in the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-7626
Indicators of Compromise
- Unusual outbound API calls to the Slek payment processor using the merchant's slek_key from unfamiliar IP addresses.
- Unexpected IPN callbacks arriving at the WooCommerce store that mark orders as paid without a corresponding settlement on the Slek dashboard.
- Web server access logs showing repeated order-pay page requests from the same IP without subsequent payment completion.
- Browser referrer entries or proxy logs containing the slek_secret as a URL query parameter.
Detection Strategies
- Audit the rendered HTML of the WooCommerce order-pay page for the affected plugin and confirm whether slek_key or slek_secret values appear in form fields or URLs.
- Inspect WordPress plugin inventory for slek-gateway-for-woocommerce version 1.0 across managed sites.
- Correlate WooCommerce order events with Slek dashboard transactions to identify mismatches that suggest IPN forgery.
Monitoring Recommendations
- Enable WordPress access logging and forward logs to a centralized analytics platform to flag repeated order-pay page access without checkout completion.
- Monitor the Slek merchant dashboard for API calls originating from IP addresses not associated with the store's hosting infrastructure.
- Rotate and watch credential usage patterns to detect unauthorized reuse of slek_key and slek_secret.
How to Mitigate CVE-2026-7626
Immediate Actions Required
- Disable the Slek Gateway for WooCommerce plugin until a patched release is available from the maintainer.
- Rotate the affected slek_key and slek_secret in the Slek merchant portal immediately to invalidate any previously exposed credentials.
- Review Slek transaction history and IPN logs for unauthorized activity since the plugin was installed.
- Remove the plugin entirely if an alternate payment gateway can be substituted in the short term.
Patch Information
No fixed version is identified in the published advisory. The vulnerability affects version 1.0 of the plugin. Monitor the Wordfence Vulnerability Report and the WordPress.org plugin repository for an updated release that moves credential handling server-side and signs the IPN callback rather than embedding the secret.
Workarounds
- Deactivate and remove the plugin from all WooCommerce stores until a patched version is published.
- Restrict access to the WooCommerce checkout to authenticated customers using an access control plugin to reduce unauthenticated exposure.
- Configure a web application firewall (WAF) rule to strip or block responses on the order-pay endpoint that contain credential field names associated with the plugin.
- After rotation, store new Slek credentials in a server-side secret store and avoid plugin configurations that render secrets to the client.
# Configuration example: deactivate the affected plugin via WP-CLI
wp plugin deactivate slek-gateway-for-woocommerce
wp plugin delete slek-gateway-for-woocommerce
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
