PeachPay
Moderate fix1 remedy
Moderate fix1 remedy
- <= 1.120.46
PeachPay WooCommerce Plugin Cross-Site Request Forgery Vulnerability
Vulnerability
Patched
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the PeachPay Payments & Express Checkout for WooCommerce plugin, specifically in versions up to and including 1.120.46. The issue arises from inadequate nonce validation in the 'peachpay_stripe_handle_admin_actions' function. This vulnerability allows unauthenticated attackers to delete all stored Stripe credentials from the WordPress database, including keys and Apple Pay configuration, by tricking a site administrator into clicking a link.
Impact
Exploitation of this vulnerability allows for the unauthorized deletion of Stripe credentials, disrupting payment processing via Stripe.
Reproduction
To reproduce this vulnerability, an attacker must send a forged request to the WordPress site, targeting the 'peachpay_stripe_handle_admin_actions' function. This can be done by including a valid nonce for the 'peachpay-stripe-unlink' action, which is not properly validated, thereby allowing the request to be processed and the Stripe credentials to be deleted.
Remediation
Users are advised to update the PeachPay WooCommerce plugin to version 1.120.47, where this vulnerability has been addressed.
Added: May 28, 2026, 9:02 AM
Updated: May 28, 2026, 9:02 AM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
2.5exploitability
7.2remediation
0.0relevance
9.7threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.