CVE-2026-9618 peachpay CVE debrief

Who should care

WordPress site administrators using PeachPay for WooCommerce with Stripe integration; e-commerce security teams; payment processing compliance officers

Technical summary

The PeachPay for WooCommerce plugin fails to properly validate nonces in the peachpay_stripe_handle_admin_actions function, allowing unauthenticated attackers to forge requests that delete Stripe API credentials. The attack requires social engineering an administrator into clicking a malicious link. Successful exploitation disables Stripe payment processing for the affected store by removing publishable keys, secret keys, webhook secrets, and Apple Pay configuration from the WordPress database.

Defensive priority

medium

Recommended defensive actions

• Update the PeachPay for WooCommerce plugin to a version newer than 1.120.46
• Verify that all Stripe payment credentials are intact and reconfigure if necessary
• Review administrator access logs for suspicious activity around 2026-05-28 and subsequent days
• Implement additional CSRF protections for administrative functions in custom WordPress plugins
• Consider implementing Content Security Policy (CSP) headers to mitigate clickjacking risks
• Train administrators to recognize and avoid suspicious links in emails or messages

Evidence notes

The vulnerability is attributed to missing or incorrect nonce validation on the peachpay_stripe_handle_admin_actions function. Source references include WordPress plugin repository browser links for versions 1.120.23 and 1.120.45, showing the affected code locations in core/admin/settings.php and core/payments/stripe/functions.php. A changeset reference indicates a patch may be available. The weakness is classified as CWE-352 (Cross-Site Request Forgery).

Official resources