CVE-2026-52695: WordPress ABC Crypto Checkout plugin <= 1.8.2 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a sensitive data exposure vulnerability in the ABC Crypto Checkout WordPress plugin, versions 1.8.2 and earlier. It is reachable over the network with no authentication required, meaning any remote actor can trigger it without holding any account credentials. Successful exploitation allows an attacker to read sensitive data from the affected site. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as the upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in registries and CI/CD pipelines. Coverage extends to custom-built images that bundle this plugin.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weighs it against each environment's configured compliance policy to determine priority routing. Findings are directed to the appropriate team inbox within each customer organization based on image ownership and policy rules.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR flow will trigger without manual intervention once a fix version is released.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any internet-connected location.
- AuthenticationNot required
No account credentials or session token of any kind are needed to trigger the exposure; the vulnerable code path is accessible to unauthenticated requests.
- Victim interactionNot required
The attacker does not need any action from a site user or administrator to exploit this vulnerability.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental factors to succeed.
Blast Radius
- An unauthenticated attacker reads sensitive data exposed by the plugin, which may include cryptocurrency payment configuration details, API keys, or transaction records stored by the plugin.
- Exposed credentials or API keys could be reused to interact with connected cryptocurrency wallets or payment processor accounts outside the WordPress environment.
- No integrity or availability impact is indicated by the CVSS vector; the attacker gains read access only and cannot modify or delete data through this vulnerability alone.
How HarborGuard Handles This
Available on HarborGuard: this CVE is matched against all customer images as soon as it enters the advisory feed, with no manual intervention required. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory and the plugin repository on each ingest cycle. The moment a patched version is published, a rebuilt image becomes available and, for customers who opt into auto-remediation, the platform will trigger a rebuild, run regression tests, and open a pull request against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict public access to the WordPress installation, WAF rules that block unauthenticated requests to the plugin's exposed endpoints, and disabling the plugin where cryptocurrency checkout functionality is not actively in use.
- Al Monsor / ABC Crypto Checkout≤ 1.8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N