CVE-2026-49066: WordPress Conekta Payment Gateway plugin <= 6.0.0 - Sensitive Data Exposure vulnerability

Synopsis

An unauthenticated sensitive data exposure vulnerability affects the Conekta Payment Gateway WordPress plugin at version 6.0.0 and earlier. The flaw is reachable over the network without any credentials, meaning any internet-connected attacker can trigger it directly. Successful exploitation grants read access to sensitive data handled by the plugin, such as payment-related configuration or transaction details. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS from any internet-connected location.

• AuthenticationNot required

  No account or session credential of any kind is needed to trigger the vulnerability.

• Victim interactionNot required

  The attacker can exploit this directly without any action from a logged-in user or site visitor.

• Attack complexityDetail

  The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites.

Blast Radius

• A successful attacker reads sensitive data exposed by the payment gateway plugin, which may include API keys, private keys, or payment configuration values used to authenticate with Conekta services.
• Access to Conekta API credentials could allow an attacker to query transaction records or customer payment data held in the Conekta platform outside the WordPress host.
• There is no integrity or availability impact from this vulnerability; the attacker gains read access only and does not modify or disrupt the WordPress installation itself.