CVE-2025-15609
Description
The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated API key disclosure in Fortis for WooCommerce plugin versions before 1.3.1 allows retrieval of customer PII and order data.
Vulnerability
The Fortis for WooCommerce WordPress plugin versions before 1.3.1 may leak sensitive API keys to unauthenticated attackers. This vulnerability allows an attacker with no authentication to retrieve API keys that are used to query the Fortis payment gateway's API [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted request to the plugin's endpoint without any prior authentication or user interaction. The attacker does not need any special privileges or specific conditions beyond network access to the WordPress site [1].
Impact
Successful exploitation enables the attacker to use the leaked API keys to query the Fortis API directly, retrieving sensitive customer information such as past orders and personally identifiable information (PII). This results in a significant confidentiality breach [1].
Mitigation
The vulnerability has been fixed in version 1.3.1 of the Fortis for WooCommerce plugin. Users are strongly advised to update to this version immediately. No other workarounds have been disclosed in the available references [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.3.1
- Range: <1.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.