PeachPay WordPress Plugin CSRF Vulnerability Allowing Stripe Unlink (CVE-2026-9618)

漏洞概述 漏洞名称: PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink CVE ID: CVE-2026-9618 CVSS评分: 4.3 (Medium) 发布日期: May 27, 2026 最后更新日期: May 28, 2026 研究人员: Benedictus Jovan (allessM) 影响范围 软件类型: Plugin 软件名称: PeachPay – Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) 受影响版本: <= 1.120.46 修复版本: 1.120.47 修复方案 修复方法: 更新到版本 1.120.47 或更新的已修复版本。 其他信息 漏洞描述: PeachPay – Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) 插件在 WordPress 中存在跨站请求伪造（CSRF）漏洞，影响所有版本直至并包括 1.120.46。这是由于缺少或不正确的 nonce 验证在 peachpay_stripe_handle_admin_actions 函数中。这使得未授权的攻击者能够永久删除所有存储的 Stripe 凭据——包括可发布密钥、秘密密钥、webhook 密钥和 Apple Pay 配置——从 WordPress 数据库，禁用 Stripe 支付处理，并通过伪造的请求授予他们可以通过点击链接来欺骗网站管理员执行操作。 参考文献 plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org 分享选项 Facebook Twitter LinkedIn Email 近期漏洞 PeachPay – Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) - CVE ID: CVE-2025-14978 - CVSS评分: 5.3 - 研究人员: Md. Moniruzzaman Prodhun (NomanProdhun) - 发布日期: January 19, 2026 Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net <= 1.117.5 - Authenticated (Contributor+) SQL Injection via order_by Parameter - CVE ID: CVE-2025-9463 - CVSS评分: 6.5 - 研究人员: Peter Thaleikis - 发布日期: September 9, 2025 PeachPay Payments <= 1.117.4 - Missing Authorization - CVE ID: CVE-2025-58534 - CVSS评分: 5.3 - 研究人员: Nabil Irawan - 发布日期: September 3, 2025 Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net <= 1.112.0 - Reflected Cross-Site Scripting - CVE ID: CVE-2024-11362 - CVSS评分: 6.1 - 研究人员: vgo0 - 发布日期: November 22, 2024 更多信息 查看此软件包中的更多漏洞: VIEW MORE VULNERABILITIES IN THIS SOFTWARE PACKAGE 版权声明 Copyright 2012-2026 Defiant Inc. Copyright 1999-2026 The MITRE Corporation 联系方式 联系邮箱: wfi-support@wordfence.com 业务时间 业务时间: 9am-8pm ET, 6am-5pm PT 和 2pm-1am UTC/GMT（不包括周末和节假日） 响应时间: 24小时支持，每年365天，响应时间为1小时 服务条款 Terms of Service Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information 社交媒体 Twitter Facebook LinkedIn Instagram 产品与服务 Products: Wordfence Free, Wordfence Premium, Wordfence Care, Wordfence Response, Wordfence CLI, Wordfence Intelligence, Wordfence Central Support: Documentation, Learning Center, Free Support, Premium Support News: Blog, In The News, Vulnerability Advisories About: About Wordfence, Affiliate Program, Employment, Contact, Security, CVE Request Form 订阅更新 Stay Updated: 注册新闻和更新，来自经验丰富的安全专业人士的仪表板。 邮箱输入框: example@example.com 同意条款: By checking this box I agree to the terms of service and privacy policy. 注册按钮: SIGN UP 版权信息 © 2012-2026 Defiant Inc. All Rights Reserved 其他信息 Wordfence Intelligence: 完全免费查询和使用，包含所有与用户界面相同的漏洞数据。请查看API文档和Webhook文档以获取更多信息。 近期漏洞列表 PeachPay – Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) - CVE ID: CVE-2025-14978 - CVSS评分: 5.3 - 研究人员: Md. Moniruzzaman Prodhun (NomanProdhun) - 发布日期: January 19, 2026 Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net <= 1.117.5 - Authenticated (Contributor+) SQL Injection via order_by Parameter - CVE ID: CVE-2025-9463 - CVSS评分: 6.5 - 研究人员: Peter Thaleikis - 发布日期: September 9, 2025 PeachPay Payments <= 1.117.4 - Missing Authorization - CVE ID: CVE-2025-58534 - CVSS评分: 5.3 - 研究人员: Nabil Irawan - 发布日期: September 3, 2025 Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net <= 1.112.0 - Reflected Cross-Site Scripting - CVE ID: CVE-2024-11362 - CVSS评分: 6.1 - 研究人员: vgo0 - 发布日期: November 22, 2024 更多信息 查看此软件包中的更多漏洞: VIEW MORE VULNERABILITIES IN THIS SOFTWARE PACKAGE 版权声明 Copyright 2012-2026 Defiant Inc. Copyright 1999-2026 The MITRE Corporation 联系方式 联系邮箱: wfi-support@wordfence.com 业务时间 业务时间: 9am-8pm ET, 6am-5pm PT 和 2pm-1am UTC/GMT（不包括周末和节假日） 响应时间: 24小时支持，每年365天，响应时间为1小时 服务条款 Terms of Service Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information 社交媒体 Twitter Facebook LinkedIn Instagram 产品与服务 Products: Wordfence Free, Wordfence Premium, Wordfence Care, Wordfence Response, Wordfence CLI, Wordfence Intelligence, Wordfence Central Support: Documentation, Learning Center, Free Support, Premium Support News: Blog, In The News, Vulnerability Advisories About: About Wordfence, Affiliate Program, Employment, Contact, Security, CVE Request Form 订阅更新 Stay Updated: 注册新闻和更新，来自经验丰富的安全专业人士的仪表板。 邮箱输入框: example@example.com 同意条款: By checking this box I agree to the terms of service and privacy policy. 注册按钮: SIGN UP 版权信息 © 2012-2026 Defiant Inc. All Rights Reserved 其他信息 Wordfence Intelligence: 完全免费查询和使用，包含所有与用户界面相同的漏洞数据。请查看API文档和Webhook文档以获取更多信息。

目標達成すべての支援者に感謝 — 100%達成しました！

PeachPay WordPress Plugin CSRF Vulnerability Allowing Stripe Unlink (CVE-2026-9618)

このソースからの他の記事

目標達成 すべての支援者に感謝 — 100%達成しました！

PeachPay WordPress Plugin CSRF Vulnerability Allowing Stripe Unlink (CVE-2026-9618)

このソースからの他の記事

目標達成すべての支援者に感謝 — 100%達成しました！