CVE-2026-9618: PeachPay WordPress Plugin CSRF Vulnerability – Stripe Credentials at Risk
The PeachPay plugin for WordPress, which integrates payment processing for Stripe, PayPal, Square, and other providers, contains a cross-site request forgery (CSRF) vulnerability in all versions up to 1.120.46. An attacker can craft a malicious link or webpage that, when clicked by a site administrator, silently deletes all stored Stripe credentials from the site's database without the administrator's knowledge or consent. This disables Stripe payments immediately and requires the administrator to reconfigure the integration. The attack requires social engineering to trick an admin into clicking the link, but requires no special authentication or technical sophistication once the admin takes the bait.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-352
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the peachpay_stripe_handle_admin_actions function. This makes it possible for unauthenticated attackers to permanently delete all stored Stripe credentials — including publishable keys, secret keys, webhook secrets, and Apple Pay configuration — from the WordPress database, disabling Stripe payment processing for the store via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The peachpay_stripe_handle_admin_actions function fails to implement or properly validate nonce tokens on sensitive administrative actions. Nonces are WordPress's standard CSRF defense mechanism—random, time-limited tokens that prevent unauthorized requests from executing when submitted from external sites. Without proper nonce validation, an attacker can construct a request (via a forged form submission, image tag, or JavaScript) that deletes Stripe configuration data when a logged-in administrator visits the attacker's controlled page. The vulnerability affects the deletion of publishable keys, secret keys, webhook secrets, and Apple Pay configuration. The attack vector is network-based and requires user interaction (the admin must visit the malicious link), but places no other preconditions on successful exploitation.
Business impact
A successful attack disables Stripe payment processing without alerting the site administrator in real time. Depending on store configuration, this may be the primary or sole payment method, causing immediate checkout failures and potential revenue loss. Recovery requires the administrator to notice the outage, log in to the PeachPay settings, and manually reconfigure Stripe credentials—a process that adds downtime and operational overhead. For multi-vendor or high-traffic stores, the window of lost payments can be significant. Additionally, if the attacker performs this attack repeatedly or in coordination with other disruptions, it amplifies reputational and operational damage.
Affected systems
WordPress installations running the PeachPay — Payments & Express Checkout for WooCommerce plugin in any version up to and including 1.120.46 are affected. The plugin supports integration with Stripe, PayPal, Square, Authorize.net, and NMI; however, the CSRF flaw specifically targets the Stripe credential storage and deletion mechanism. Any WordPress site using PeachPay for Stripe payment processing is at risk if the site administrator is socially engineered into clicking a malicious link. The vulnerability does not require special server configuration or exposed debug endpoints.
Exploitability
Exploitability is moderate. The attack requires no specialized tools or knowledge—a threat actor can craft a simple HTML form or redirect that issues a forged DELETE request. However, success depends entirely on social engineering: the attacker must convince a WordPress administrator (a higher-privilege user) to click a link. The attack does not require the attacker to be authenticated, does not leak sensitive data directly, and does not achieve remote code execution. The low-friction nature of CSRF attacks—combined with phishing, forum comments, email, or malicious ads—makes this a practical risk in real-world scenarios, particularly against busy administrators or less security-aware organizations.
Remediation
Site administrators must update PeachPay to a patched version that implements proper nonce validation on all administrative actions, particularly peachpay_stripe_handle_admin_actions. Verify the patched version number against the vendor's official advisory and security changelog. After updating, administrators should review their Stripe configuration in the PeachPay settings to confirm that keys, webhooks, and Apple Pay settings remain intact. Additionally, implement WordPress security hardening: ensure administrators use strong, unique passwords; enable two-factor authentication; restrict administrative access by IP if feasible; and educate administrators to avoid clicking suspicious links.
Patch guidance
Consult the official PeachPay plugin repository and security advisories for the specific patched version number. Apply the update through the WordPress plugin dashboard (Plugins > Installed Plugins > PeachPay > Update if available) or via direct download from the vendor. After patching, test Stripe payment processing in a staging environment or on a test transaction to confirm credentials remain in place and are functional. If you cannot immediately patch, temporarily disable Stripe payment processing or restrict PeachPay admin access to trusted IP addresses as a temporary mitigation.
Detection guidance
Monitor WordPress admin access logs for unexpected or unusual DELETE or POST requests to the peachpay_stripe_handle_admin_actions endpoint. Review WooCommerce payment gateway settings and Stripe API dashboard for any unexplained removal or modification of API keys or webhook configurations. Implement Web Application Firewall (WAF) rules to flag or block requests to sensitive WordPress admin endpoints from untrusted referrers. Enable WordPress security audit logging (via plugins like Wordfence or similar) to capture administrative action history. Establish alerting on changes to payment gateway configuration to catch malicious deletion events shortly after they occur.
Why prioritize this
Although assigned a MEDIUM CVSS score, this vulnerability warrants prompt attention because it directly impacts payment processing, a critical business function. The attack surface is the WordPress administrator base, which is typically smaller and more targeted than end-user populations. Exploit barriers are low (social engineering is common), and remediation is straightforward (a plugin update). Organizations relying heavily on Stripe and operating in high-fraud environments or facing active phishing campaigns should prioritize this update urgently.
Risk score, explained
CVSS 3.1 scores this as 4.3 (MEDIUM): Network-accessible, low attack complexity, no privileges required, user interaction required, and limited integrity impact (deletion of configuration, not data exposure or code execution). The score reflects that this is a destructive but not data-exfiltrating attack, and it depends on social engineering. In practice, organizations with strong administrator awareness and access controls may face lower actual risk; those in active spear-phishing campaigns should treat this as higher priority regardless of the base CVSS.
Frequently asked questions
Will updating PeachPay restore my deleted Stripe credentials?
No. The patch prevents future deletion via CSRF; it does not recover already-deleted credentials. If your Stripe keys were deleted before patching, you must manually re-enter your Stripe API keys, webhook endpoint, and Apple Pay configuration in the PeachPay settings. Check your Stripe dashboard to retrieve your current keys and ensure webhooks are re-registered with the correct endpoint URL.
Are PayPal, Square, and other payment methods also vulnerable?
This specific CVE concerns the Stripe credential handling in peachpay_stripe_handle_admin_actions. Other payment integrations may have separate implementations and may not be affected. However, if you use PeachPay, update promptly to ensure all nonce validation is properly implemented across the plugin.
Do I need special tools or access to exploit this vulnerability?
No. An attacker only needs to craft a simple HTML form or redirect link and persuade a WordPress administrator to click it. The attacker does not need access to your site, server credentials, or special knowledge. This is why social engineering awareness and two-factor authentication are important defenses.
If I disable Stripe temporarily, am I protected?
Disabling Stripe in PeachPay settings removes the attack surface for this specific CSRF vector, but does not patch the underlying vulnerability. Update the plugin as soon as possible. Temporary disablement is only a stopgap measure.
This analysis is based on the official CVE record and vendor advisories available as of the publication date. Patch version numbers, remediation steps, and affected product details should be verified against the official PeachPay security advisory and vendor documentation before implementation. SEC.co does not guarantee the accuracy of third-party vendor information. Organizations should conduct independent testing of patches in non-production environments before deployment. This vulnerability does not include active exploitation in the wild at the time of publication, but social engineering attacks are unpredictable. Always refer to the NIST NVD, the vendor's official repository, and your security team for the most current guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-34460MEDIUMNamelessMC OAuth State Validation Flaw Enables Session Hijacking
- CVE-2026-4071MEDIUMBirdSeed WordPress Plugin CSRF Vulnerability – Patch & Detection Guide
- CVE-2026-42073MEDIUMOpenClaude OAuth State Validation Bypass Denial of Service
- CVE-2026-45610MEDIUMWWBN AVideo 2FA CSRF Vulnerability – Cross-Site Account Takeover Risk