CVE-2026-49066

Vulnerability

The Conekta Payment Gateway plugin for WordPress versions up to and including 6.0.0 contains an unauthenticated sensitive data exposure vulnerability. The plugin fails to properly restrict access to certain endpoints or data, allowing any unauthenticated user to retrieve sensitive information that should be protected. This affects all installations running the plugin version 6.0.0 or earlier [1].

Exploitation

An attacker can exploit this vulnerability without any authentication or user interaction. By sending a crafted HTTP request to a vulnerable endpoint of the WordPress site, the attacker can retrieve sensitive data exposed by the plugin. No special network position or privileges are required; the attacker only needs network access to the target site [1].

Impact

Successful exploitation allows an attacker to view sensitive information that is normally not accessible to regular users. This may include payment transaction details, API keys, customer personal data, or other confidential information handled by the Conekta Payment Gateway. Such exposure can be leveraged to conduct further attacks, such as fraud, identity theft, or compromise of other systems [1].

Mitigation

The vulnerability is fixed in version 6.0.1 of the Conekta Payment Gateway plugin. Users are strongly advised to update to 6.0.1 or later immediately. No virtual patch is available for this vulnerability, and no workaround has been provided. The update is the only reliable mitigation [1].