Skip to main content

Conekta Payment Gateway EUVDEUVD-2026-36873

| CVE-2026-49066 HIGH
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-15 Patchstack GHSA-gf3x-cwp4-jgfv
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress endpoint discloses sensitive data with no user interaction; confidentiality high, no integrity or availability impact per CWE-497.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:39 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in Conekta Payment Gateway <= 6.0.0 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the Conekta Payment Gateway WordPress plugin (versions 6.0.0 and earlier) allows remote attackers to retrieve confidential information without authentication or user interaction. The flaw, tracked by Patchstack and classified as CWE-497 (Exposure of Sensitive System Information), carries a CVSS 7.5 score driven entirely by a high confidentiality impact over the network. No public exploit identified at time of analysis, and the CVE is not present in CISA KEV.

Technical ContextAI

The affected component is the Conekta Payment Gateway plugin for WordPress (CPE cpe:2.3:a:conekta_group:conekta_payment_gateway), which integrates the Conekta payment processor into WooCommerce-style checkout flows and handles transaction credentials, API keys, and customer billing data. CWE-497 describes a class of bugs where system-level data intended for trusted users (configuration, internal state, credentials) is reachable by an untrusted actor - in payment plugins this typically manifests as unprotected REST endpoints, debug/log files, or admin-ajax handlers that return secrets without checking capabilities or nonces. Because WordPress plugins execute inside the same PHP runtime as the site, any handler registered without an authentication check is reachable by anonymous HTTP requests to the site root.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied data - only the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/conekta-payment-gateway/vulnerability/wordpress-conekta-payment-gateway-plugin-6-0-0-sensitive-data-exposure-vulnerability is referenced, so administrators should check that page and the plugin's WordPress.org listing for a version above 6.0.0 and upgrade immediately once available. As compensating controls until a fix lands, restrict access to the plugin's exposed endpoints at the web server or WAF layer by blocking anonymous requests to plugin paths under /wp-content/plugins/conekta-payment-gateway/ and to any plugin-registered REST routes (/wp-json/conekta/*) and admin-ajax actions originating from the plugin, accepting that this may break legitimate checkout callbacks and require allowlisting Conekta's webhook IP ranges. Rotate any Conekta API keys and webhook secrets configured in the plugin on the assumption that they may already have been read, and consider temporarily deactivating the plugin if the site is high-value and a patch is not yet published.

Share

EUVD-2026-36873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy