CVE-2026-9618 Overview
CVE-2026-9618 is a Cross-Site Request Forgery (CSRF) vulnerability in the PeachPay — Payments & Express Checkout for WooCommerce WordPress plugin. The plugin supports Stripe, PayPal, Square, Authorize.net, and NMI payment gateways. All versions up to and including 1.120.46 are affected. The flaw exists in the peachpay_stripe_handle_admin_actions function due to missing or incorrect nonce validation. Unauthenticated attackers can permanently delete all stored Stripe credentials from the WordPress database by tricking an administrator into clicking a crafted link. This disables Stripe payment processing for the affected store.
Critical Impact
Successful exploitation deletes Stripe publishable keys, secret keys, webhook secrets, and Apple Pay configuration, disrupting payment processing for affected WooCommerce stores.
Affected Products
- PeachPay — Payments & Express Checkout for WooCommerce plugin versions up to and including 1.120.46
- WordPress installations running the vulnerable plugin
- WooCommerce stores using PeachPay Stripe integration
Discovery Timeline
- 2026-05-28 - CVE CVE-2026-9618 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-9618
Vulnerability Analysis
The vulnerability falls under [CWE-352] Cross-Site Request Forgery. The PeachPay plugin exposes an administrative action handler, peachpay_stripe_handle_admin_actions, that processes state-changing operations on Stripe payment credentials. The function lacks proper nonce validation, which is the standard WordPress mechanism for verifying that a request originated from an authenticated administrator action rather than a forged cross-origin request.
When an authenticated WordPress administrator visits an attacker-controlled page or clicks a malicious link, the browser automatically attaches valid session cookies to the forged request. The plugin processes the request as legitimate and executes the credential deletion routine. This results in removal of Stripe publishable keys, secret keys, webhook signing secrets, and Apple Pay domain verification data from the WordPress options table.
Root Cause
The root cause is the absence of a verified nonce token check inside peachpay_stripe_handle_admin_actions before performing destructive operations on stored payment configuration. WordPress provides wp_verify_nonce() and check_admin_referer() helpers specifically to defend against CSRF, but the vulnerable code path does not enforce them. Referenced source files include core/admin/settings.php and core/payments/stripe/functions.php in the plugin repository.
Attack Vector
Exploitation requires user interaction from an authenticated administrator. An attacker crafts a malicious HTML page, email, or link containing an auto-submitting form or image tag targeting the vulnerable admin action endpoint. When the administrator opens the resource while logged into WordPress, the browser issues the forged request with valid authentication cookies. No credentials or prior access to the WordPress instance are required by the attacker.
No verified proof-of-concept code is available. See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-9618
Indicators of Compromise
- Unexpected removal of Stripe credentials from the WordPress wp_options table, including publishable keys, secret keys, and webhook secrets
- Sudden failure of Stripe payment processing on WooCommerce checkout pages with no administrator-initiated configuration change
- Web server access logs showing requests to PeachPay admin action endpoints originating from external Referer headers
- Apple Pay domain verification entries disappearing without administrator action
Detection Strategies
- Monitor WordPress audit logs for changes to PeachPay plugin options, particularly any delete_option operations targeting Stripe configuration keys
- Inspect HTTP request logs for GET or POST requests to PeachPay admin handlers that lack a valid _wpnonce parameter
- Correlate administrator session activity with credential deletion events to identify requests triggered from external referrers
Monitoring Recommendations
- Enable a WordPress activity log plugin to capture option changes and plugin setting modifications in real time
- Alert on any unexpected zeroing or deletion of payment gateway credentials in the database
- Review web application firewall (WAF) logs for cross-origin POSTs targeting WordPress admin URLs
How to Mitigate CVE-2026-9618
Immediate Actions Required
- Update the PeachPay — Payments & Express Checkout for WooCommerce plugin to a version newer than 1.120.46 as soon as a patched release is available
- Back up current Stripe configuration and store credentials in a secure secrets manager so they can be restored quickly if deleted
- Restrict administrator browsing habits, advising admins not to browse untrusted sites or click unknown links while authenticated to the WordPress dashboard
Patch Information
Review the plugin changeset referenced in the WordPress Plugin Changeset for the upstream fix. The corrected code path should invoke nonce verification before executing any Stripe credential modification. Site administrators should confirm the patched plugin version is installed by checking the plugin metadata in wp-admin.
Workarounds
- Deploy a web application firewall rule that blocks requests to PeachPay admin action endpoints lacking a valid _wpnonce parameter
- Use a browser session isolation strategy: perform WordPress administration in a dedicated browser profile not used for general browsing
- Temporarily deactivate the PeachPay plugin until a patched version is installed if Stripe processing is not actively required
# Configuration example: Example WAF rule (pseudocode) to block PeachPay admin actions without a nonce
# Block requests to PeachPay admin handlers that omit _wpnonce
SecRule REQUEST_URI "@contains peachpay_stripe_handle_admin_actions" \
"chain,deny,status:403,id:1002026,msg:'PeachPay admin action without nonce (CVE-2026-9618)'"
SecRule &ARGS:_wpnonce "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
