Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable WordPress plugin endpoint leaks sensitive data with no user interaction; only confidentiality is impacted, so C:H and I/A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the ABC Crypto Checkout WordPress plugin (versions <= 1.8.2) allows remote attackers to retrieve sensitive information without any credentials over the network. The flaw, reported by Patchstack and tracked as CWE-201, carries a CVSS 7.5 with high confidentiality impact and no integrity or availability effect; no public exploit identified at time of analysis.
Technical ContextAI
ABC Crypto Checkout is a WordPress plugin (CPE cpe:2.3:a:al_monsor:abc_crypto_checkout) that provides a PayerURL-based cryptocurrency payment gateway for WooCommerce stores. The root cause is CWE-201 (Insertion of Sensitive Information Into Sent Data), where the plugin emits sensitive information - typically API keys, transaction details, merchant secrets, or customer data - through a response path reachable without authentication, such as an AJAX action, REST endpoint, or front-end page. WordPress plugins commonly leak data via unauthenticated admin-ajax handlers, REST routes lacking permission_callback checks, or debug fields rendered in HTML/JSON responses.
RemediationAI
No vendor-released patch identified at time of analysis in the provided input; site operators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/payerurl-crypto-currency-payment-gateway-for-woocommerce/vulnerability/wordpress-abc-crypto-checkout-plugin-1-8-2-sensitive-data-exposure-vulnerability) for a fixed release beyond 1.8.2 and upgrade as soon as one is published. Until a patched version is available, deactivate the ABC Crypto Checkout plugin (which disables crypto checkout functionality), or place the WooCommerce checkout behind a WAF rule that blocks unauthenticated requests to the plugin's AJAX/REST endpoints (may break legitimate guest checkout), and rotate any payment gateway API keys or secrets that may have been exposed prior to remediation.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36902
GHSA-p395-qfmw-392p