CVE-2026-9618
Description
The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the peachpay_stripe_handle_admin_actions function. This makes it possible for unauthenticated attackers to permanently delete all stored Stripe credentials — including publishable keys, secret keys, webhook secrets, and Apple Pay configuration — from the WordPress database, disabling Stripe payment processing for the store via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in PeachPay WordPress plugin up to 1.120.46 allows attackers to delete all stored Stripe credentials, disabling payment processing.
Vulnerability
The PeachPay — Payments & Express Checkout for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.120.46. The flaw resides in the peachpay_stripe_handle_admin_actions function, which lacks proper nonce validation. This function handles administrative actions related to Stripe settings, and without a nonce check, an attacker can forge requests on behalf of a site administrator [1][2][3][4].
Exploitation
An unauthenticated attacker can exploit this CSRF by crafting a malicious link or form. The attacker must trick a site administrator into performing an action such as clicking a link or submitting a form while authenticated. When the administrator triggers the forged request, the plugin's peachpay_stripe_handle_admin_actions function executes the attacker's desired action without proper verification [description].
Impact
Successful exploitation allows an attacker to permanently delete all stored Stripe credentials from the WordPress database. This includes publishable keys, secret keys, webhook secrets, and Apple Pay configuration. As a result, Stripe payment processing for the WooCommerce store is disabled, potentially causing significant disruption to the store's payment capabilities [description].
Mitigation
As of the publication date, no patched version has been released. The issue affects all versions up to 1.120.46. Users should monitor the PeachPay plugin changelog for a security update. Until a fix is available, administrators are advised to be cautious of unsolicited links and consider adding additional CSRF protections or temporarily disabling the Stripe integration if the risk is deemed high. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
- https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.120.23/core/payments/stripe/functions.php#L612
- https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.120.23/core/payments/stripe/functions.php#L640
- https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.120.45/core/payments/stripe/functions.php#L612
- https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.120.45/core/payments/stripe/functions.php#L640
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.120.46
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing or incorrect nonce validation on the peachpay_stripe_handle_admin_actions function allows CSRF attacks."
Attack vector
An unauthenticated attacker crafts a forged request (e.g., a link or form submission) targeting the `peachpay_stripe_handle_admin_actions` function, which lacks nonce validation [ref_id=1]. If a logged-in WordPress administrator is tricked into clicking the link or submitting the form (a CSRF attack), the function executes the attacker's desired action — permanently deleting all stored Stripe credentials (publishable keys, secret keys, webhook secrets, Apple Pay configuration) from the database. This disables Stripe payment processing for the store. The attack requires no authentication and is performed over the network.
Affected code
The vulnerability exists in the `peachpay_stripe_handle_admin_actions` function within the PeachPay Stripe integration. The reference write-up [ref_id=1] shows that this function lacks nonce validation, unlike other admin AJAX handlers in the same file (e.g., `peachpay_stripe_handle_capture_payment`, `peachpay_stripe_handle_void_payment`) which properly check `wp_verify_nonce`. The exact file path is not fully shown in the truncated reference, but the function is part of the Stripe admin actions handler.
What the fix does
The advisory states the vulnerability is due to "missing or incorrect nonce validation on the peachpay_stripe_handle_admin_actions function." No patch is shown in the provided bundle. The remediation would be to add a `wp_verify_nonce` check at the start of `peachpay_stripe_handle_admin_actions`, consistent with how other AJAX handlers in the same file (e.g., `peachpay_stripe_handle_capture_payment`) validate requests using a nonce like `'peachpay-stripe-capture-payment'`. Until a fix is applied, site administrators should avoid clicking untrusted links while logged into the WordPress admin.
Preconditions
- authA WordPress administrator must be logged in and tricked into clicking a crafted link or submitting a malicious form.
- networkThe attacker must be able to craft a CSRF request targeting the peachpay_stripe_handle_admin_actions AJAX endpoint.
- configThe PeachPay plugin must be installed and active with Stripe integration configured.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.120.23/core/admin/settings.phpnvd
- plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.120.23/core/payments/stripe/functions.phpnvd
- plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.120.23/core/payments/stripe/functions.phpnvd
- plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.120.45/core/admin/settings.phpnvd
- plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.120.45/core/payments/stripe/functions.phpnvd
- plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.120.45/core/payments/stripe/functions.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/2270b66f-b07c-44ce-b161-7b2123f8c21envd
News mentions
0No linked articles in our index yet.