WordPress Plugin Vulnerabilities

Fortis For WooCommerce < 1.3.1 - Sensitive API Key Disclosure

Description

The plugin may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.

Proof of Concept

Affects Plugins

Plugin icon
fortis-for-woocommerce
Fixed in 1.3.1

References

CVE
CVE-2025-15609

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
WPScan Team
Submitter
WPScan Team
Submitter website
https://wpscan.com
Submitter twitter
_WPScan_
Verified
Yes
WPVDB ID
220f72ea-e3b4-44c9-8c9b-15662aebb6cb

Timeline

Publicly Published
2026-04-28 (about 21 days ago)
Added
2026-04-28 (about 20 days ago)
Last Updated
2026-04-28 (about 20 days ago)

Other

Published
Title
Published
2025-01-03
Title
WP SecureSubmit <= 1.5.20 - Unauthenticated Sensitive Information Exposure
Published
2024-07-26
Title
Campaign Monitor for WordPress < 2.8.16 - Unauthenticated Full Path Disclosure
Published
2023-07-19
Title
Essential Addons For Elementor < 5.8.2 - Unauthenticated MailChimp API Key Disclosure
Published
2026-02-17
Title
Context Blog < 1.2.6 - Unauthenticated Private Post Disclosure
Published
2024-04-02
Title
WooCommerce Customers Manager < 29.8 - Subscriber+ Email Disclosure