WooCommerce Fortis Plugin Exposes API Keys to Unauthenticated Users

The Fortis for WooCommerce plugin before version 1.3.1 contains a critical information disclosure vulnerability that allows unauthenticated attackers to access sensitive API keys. These keys provide direct access to the Fortis payment API, enabling threat actors to retrieve confidential customer data including order history, personally identifiable information (PII), and transaction details. Any WordPress site running the vulnerable plugin version is at risk, particularly e-commerce businesses handling payment processing through Fortis. The vulnerability is especially dangerous because it requires no authentication, authentication bypass, or user interaction—attackers can passively discover and exploit exposed credentials at scale.

While this CVE lacks mapped MITRE ATT&CK techniques and CWE classifications, Casky's extended reasoning capabilities would detect the underlying attack pattern as Credential Access (T1528 - Steal Application Access Token) combined with Collection techniques (T1123 or similar data aggregation). Practitioners using Casky would identify findings showing unauthenticated requests to plugin endpoints returning API credentials in responses, configuration files, or debug output. The platform's 754 security skills would flag anomalies including: plaintext credential exposure in client-side code or HTTP responses, insufficient access controls on sensitive endpoints, and API key usage from unfamiliar IP addresses or geographic locations attempting bulk data queries. Security teams would see detection signals for credential theft attempts followed by reconnaissance against the Fortis API, indicating active exploitation in progress.