PatchSiren cyber security CVE debrief
CVE-2025-15609 Fortis CVE debrief
The Fortis for WooCommerce WordPress plugin before version 1.3.1 contains an information disclosure vulnerability that exposes sensitive API keys to unauthenticated attackers. The vulnerability allows remote, unauthenticated attackers to obtain Fortis API credentials, which can subsequently be used to query the Fortis API and retrieve sensitive customer information including past order details and personally identifiable information (PII). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact to confidentiality with no integrity or availability impact. The vulnerability was published to CVE on May 19, 2026, with a modification timestamp later the same day. The NVD entry currently shows a status of 'Deferred'. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- Fortis
- Product
- Fortis for WooCommerce
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Organizations running Fortis for WooCommerce WordPress plugin versions before 1.3.1; e-commerce sites processing payments through Fortis; security teams responsible for WordPress plugin security; compliance officers concerned with PCI-DSS and customer PII protection; WooCommerce site administrators
Technical summary
The vulnerability exists in the Fortis for WooCommerce WordPress plugin versions prior to 1.3.1. The plugin fails to properly protect sensitive Fortis API credentials, allowing unauthenticated remote attackers to access these keys. Once obtained, the API keys can be used to authenticate to Fortis' payment processing API and exfiltrate sensitive customer data including historical order information and personally identifiable information. The attack requires no authentication or user interaction and can be conducted remotely with low complexity.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Fortis for WooCommerce WordPress plugin to version 1.3.1 or later
- Rotate all Fortis API keys immediately if running affected versions
- Review Fortis API access logs for unauthorized queries
- Audit customer data exposure scope if compromise is suspected
- Implement Web Application Firewall (WAF) rules to restrict unauthorized API key exposure endpoints
- Consider disabling the plugin until patching is complete if upgrade is not immediately feasible
Evidence notes
Vulnerability disclosed via WPScan with NVD reference. Vendor attribution marked as low confidence requiring review, with WPScan identified as the reference domain candidate. NVD status is 'Deferred' as of the modified timestamp.
Official resources
-
CVE-2025-15609 CVE record
CVE.org
-
CVE-2025-15609 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.