Skip to main content

ABC Crypto Checkout CVE-2026-52695

| EUVDEUVD-2026-36902 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-15 Patchstack GHSA-p395-qfmw-392p
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress plugin endpoint leaks sensitive data with no user interaction; only confidentiality is impacted, so C:H and I/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:25 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the ABC Crypto Checkout WordPress plugin (versions <= 1.8.2) allows remote attackers to retrieve sensitive information without any credentials over the network. The flaw, reported by Patchstack and tracked as CWE-201, carries a CVSS 7.5 with high confidentiality impact and no integrity or availability effect; no public exploit identified at time of analysis.

Technical ContextAI

ABC Crypto Checkout is a WordPress plugin (CPE cpe:2.3:a:al_monsor:abc_crypto_checkout) that provides a PayerURL-based cryptocurrency payment gateway for WooCommerce stores. The root cause is CWE-201 (Insertion of Sensitive Information Into Sent Data), where the plugin emits sensitive information - typically API keys, transaction details, merchant secrets, or customer data - through a response path reachable without authentication, such as an AJAX action, REST endpoint, or front-end page. WordPress plugins commonly leak data via unauthenticated admin-ajax handlers, REST routes lacking permission_callback checks, or debug fields rendered in HTML/JSON responses.

RemediationAI

No vendor-released patch identified at time of analysis in the provided input; site operators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/payerurl-crypto-currency-payment-gateway-for-woocommerce/vulnerability/wordpress-abc-crypto-checkout-plugin-1-8-2-sensitive-data-exposure-vulnerability) for a fixed release beyond 1.8.2 and upgrade as soon as one is published. Until a patched version is available, deactivate the ABC Crypto Checkout plugin (which disables crypto checkout functionality), or place the WooCommerce checkout behind a WAF rule that blocks unauthenticated requests to the plugin's AJAX/REST endpoints (may break legitimate guest checkout), and rotate any payment gateway API keys or secrets that may have been exposed prior to remediation.

Share

CVE-2026-52695 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy