Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the peachpay_stripe_handle_admin_actions function. This makes it possible for unauthenticated attackers to permanently delete all stored Stripe credentials - including publishable keys, secret keys, webhook secrets, and Apple Pay configuration - from the WordPress database, disabling Stripe payment processing for the store via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
Stripe payment processing can be permanently disabled on any WooCommerce store running the PeachPay plugin through version 1.120.46 by an unauthenticated attacker who successfully social-engineers a logged-in site administrator. The vulnerability stems from missing nonce validation on the peachpay_stripe_handle_admin_actions function, allowing a forged cross-site request to irreversibly wipe all Stripe credentials - publishable keys, secret keys, webhook secrets, and Apple Pay configuration - from the WordPress database. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-exploitable at low complexity requiring only one user-interaction step.
Technical ContextAI
The affected product is the PeachPay WooCommerce payment plugin (CPE: cpe:2.3:a:peachpay:peachpay_-_payments_&_express_checkout_for_woocommerce_*), which integrates multiple payment gateways - including Stripe, PayPal, Square, Authorize.net, and NMI - into WordPress/WooCommerce storefronts. The root cause is CWE-352 (Cross-Site Request Forgery): WordPress plugins are expected to validate a cryptographic nonce on any state-changing admin action to confirm the request originates from a legitimate authenticated session. Wordfence's source code references pinpoint the failure in peachpay_stripe_handle_admin_actions (core/payments/stripe/functions.php lines 612 and 640) and the linked settings handler (core/admin/settings.php line 190), both in tags 1.120.23 and 1.120.45, confirming the flaw has persisted across multiple release cycles. Because CSRF exploits the browser's automatic credential forwarding, the attacker needs no knowledge of the victim's session token - only the ability to cause a browser request to be sent while the administrator is authenticated.
RemediationAI
Update the PeachPay plugin to the version that incorporates the fix referenced in WordPress plugin SVN changeset 3550723 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3550723%40peachpay-for-woocommerce&new=3550723%40peachpay-for-woocommerce). The exact patched release version number is not independently confirmed from the provided data - administrators should verify through the WordPress plugin dashboard or the official plugin page that they are running a version above 1.120.46. As a compensating control prior to patching, administrators can restrict access to the WordPress admin dashboard to trusted IP ranges using server-level firewall rules or a plugin such as a WAF with admin-path restrictions, which reduces the attack surface by limiting which sessions an attacker could abuse. Additionally, ensure all Stripe credentials are rotated immediately if suspicious admin activity is detected, as the deletion action is irreversible once triggered. The Wordfence threat intelligence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/2270b66f-b07c-44ce-b161-7b2123f8c21e) should be monitored for patch version confirmation.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32731
GHSA-2wqg-w33r-qx37