← back
CVE-2025-15609

Fortis For WooCommerce < 1.3.1 - Sensitive API Key Disclosure

CVSS 7.5 HIGHEPSS 0.4%
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 7.5EPSS 0.4%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
19 May 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Unknown · Fortis for WooCommerce
public PoCs found1
cve_referencewpscan.com/vulnerability/220f72ea-e3b4-44c9-8c9b-15662aebb6cb/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/220f72ea-e3b4-44c9-8c9b-15662aebb6cb/