PatchSiren

peachpay CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM peachpay CVE published 2026-05-28

CVE-2026-9618

A Cross-Site Request Forgery (CSRF) vulnerability in the PeachPay for WooCommerce WordPress plugin allows unauthenticated attackers to permanently delete all stored Stripe payment credentials—including publishable keys, secret keys, webhook secrets, and Apple Pay configuration—by tricking an administrator into clicking a malicious link. The vulnerability exists due to missing or incorrect nonce validation [truncated]