Primary

Context

Fortis for WooCommerce Sensitive API Key Disclosure Vulnerability

Vulnerability

Patched

A vulnerability in the Fortis for WooCommerce WordPress plugin, affecting versions prior to 1.3.1, may allow unauthenticated attackers to access sensitive API keys. This exposure could be exploited to query Fortis' API and retrieve confidential customer information, including past orders and personally identifiable information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive customer data, including API keys, order history, and personal information.

Reproduction

To reproduce this vulnerability, add a product to the cart, then send a GET request to 'wp-admin/admin-ajax.php' with the action 'fortis_ajax_request'. The response will include a 'fortis' object containing leaked information such as 'production_user_id' and 'production_user_api_key'.

Remediation

Users are advised to update the Fortis for WooCommerce WordPress plugin to version 1.3.1 or later.

Added: May 19, 2026, 7:22 AM

Updated: May 19, 2026, 7:22 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

8.8

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

8.8

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Fortis for WooCommerce Sensitive API Key Disclosure Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Fortis

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating