PeachPay WordPress Plugin CSRF Vulnerability Allowing Stripe Unlink (CVE-2026-9618)

Vulnerability Overview Vulnerability Name: PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink CVE ID: CVE-2026-9618 CVSS Score: 4.3 (Medium) Published Date: May 27, 2026 Last Updated Date: May 28, 2026 Researcher: Benedictus Jovan (allessM) Scope Software Type: Plugin Software Name: PeachPay – Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) Affected Versions: <= 1.120.46 Fixed Version: 1.120.47 Remediation Remediation Method: Update to version 1.120.47 or a later fixed version. Additional Information Vulnerability Description: The PeachPay – Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 1.120.46. This is caused by missing or incorrect nonce verification in the function. This allows unauthorized attackers to permanently delete all stored Stripe credentials—including publishable keys, secret keys, webhook keys, and Apple Pay configurations—from the WordPress database, thereby disabling Stripe payment processing. Attackers can deceive site administrators into executing actions via forged requests triggered by clicking links. References plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org Share Options Facebook Twitter LinkedIn Email Recent Vulnerabilities PeachPay – Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) - CVE ID: CVE-2025-14978 - CVSS Score: 5.3 - Researcher: Md. Moniruzzaman Prodhun (NomanProdhun) - Published Date: January 19, 2026 Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net <= 1.117.5 - Authenticated (Contributor+) SQL Injection via order_by Parameter - CVE ID: CVE-2025-9463 - CVSS Score: 6.5 - Researcher: Peter Thaleikis - Published Date: September 9, 2025 PeachPay Payments <= 1.117.4 - Missing Authorization - CVE ID: CVE-2025-58534 - CVSS Score: 5.3 - Researcher: Nabil Irawan - Published Date: September 3, 2025 Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net <= 1.112.0 - Reflected Cross-Site Scripting - CVE ID: CVE-2024-11362 - CVSS Score: 6.1 - Researcher: vgo0 - Published Date: November 22, 2024 More Information View More Vulnerabilities In This Software Package: VIEW MORE VULNERABILITIES IN THIS SOFTWARE PACKAGE Copyright Copyright 2012-2026 Defiant Inc. Copyright 1999-2026 The MITRE Corporation Contact Contact Email: wfi-support@wordfence.com Business Hours Business Hours: 9am-8pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Response Time: 24/7 support with a 1-hour response time Terms of Service Terms of Service Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information Social Media Twitter Facebook LinkedIn Instagram Products and Services Products: Wordfence Free, Wordfence Premium, Wordfence Care, Wordfence Response, Wordfence CLI, Wordfence Intelligence, Wordfence Central Support: Documentation, Learning Center, Free Support, Premium Support News: Blog, In The News, Vulnerability Advisories About: About Wordfence, Affiliate Program, Employment, Contact, Security, CVE Request Form Subscribe for Updates Stay Updated: Subscribe to news and updates from a dashboard of experienced security professionals. Email Input: example@example.com Terms Agreement: By checking this box I agree to the terms of service and privacy policy. Sign Up Button: SIGN UP Copyright Info © 2012-2026 Defiant Inc. All Rights Reserved Additional Information Wordfence Intelligence**: Completely free to query and use, containing all vulnerability data identical to the user interface. Please refer to the API documentation and Webhook documentation for more information.

Goal Reached Thanks to every supporter — we hit 100%!

PeachPay WordPress Plugin CSRF Vulnerability Allowing Stripe Unlink (CVE-2026-9618)

More from this source