{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15482", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-07T19:59:46.779Z", "datePublished": "2026-02-04T08:25:26.785Z", "dateUpdated": "2026-04-08T16:37:45.305Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:45.305Z"}, "affected": [{"vendor": "chapaet", "product": "Chapa Payment Gateway Plugin for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key."}], "title": "Chapa Payment Gateway Plugin for WooCommerce <= 1.0.3 - Unauthenticated Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/190492ec-5982-4dce-9e97-16a518a01a27?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/chapa-payment-gateway-for-woocommerce/tags/1.0.3/includes/class-waf-wc-chapa-gateway.php#L418"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-03T19:32:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:18:56.831247Z", "id": "CVE-2025-15482", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:19:03.418Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15482", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:18:56.831247Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:19:00.461Z"}}], "cna": {"title": "Chapa Payment Gateway Plugin for WooCommerce <= 1.0.3 - Unauthenticated Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "chapaet", "product": "Chapa Payment Gateway Plugin for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-03T19:32:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/190492ec-5982-4dce-9e97-16a518a01a27?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/chapa-payment-gateway-for-woocommerce/tags/1.0.3/includes/class-waf-wc-chapa-gateway.php#L418"}], "descriptions": [{"lang": "en", "value": "The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:45.305Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15482", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:45.305Z", "dateReserved": "2026-01-07T19:59:46.779Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-04T08:25:26.785Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key."}, {"lang": "es", "value": "El plugin Chapa Payment Gateway para WooCommerce plugin para WordPress es vulnerable a la Exposici\u00f3n de Informaci\u00f3n Sensible en todas las versiones hasta la 1.0.3, inclusive, a trav\u00e9s del endpoint de la API de WooCommerce 'chapa_proceed'. Esto posibilita que atacantes no autenticados extraigan datos sensibles, incluyendo la clave secreta de la API de Chapa del comerciante."}], "id": "CVE-2025-15482", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-04T09:15:51.033", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/chapa-payment-gateway-for-woocommerce/tags/1.0.3/includes/class-waf-wc-chapa-gateway.php#L418"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/190492ec-5982-4dce-9e97-16a518a01a27?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:33:47.368376+00:00", "value": {"mitigation_remediation": ["Upgrade the Chapa Payment Gateway Plugin to the latest version that removes the unauthenticated exposure of the secret key", "If an upgrade is not immediately possible, disable or remove the Chapa plugin from the site to eliminate the vulnerability surface", "Apply network or firewall rules to block external access to the 'chapa_proceed' endpoint until the plugin is patched or removed", "After remediation, purge any cached or stored instances of the exposed API key from the site\u2019s configuration and verify that rotation has occurred"], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "All installations of the Chapa Payment Gateway Plugin for WooCommerce version 1.0.3 and earlier are affected. The plugin is a WordPress add\u2011on that integrates Chapa payment processing into WooCommerce stores; any WordPress site running the vulnerable plugin falls under the scope of this vulnerability.", "description_and_impact": "The Chapa Payment Gateway Plugin for WooCommerce is vulnerable to a sensitive information exposure flaw that allows an unauthenticated attacker to retrieve the merchant\u2019s Chapa secret API key. This weakness is achieved through the 'chapa_proceed' WooCommerce API endpoint, which does not enforce authentication before returning configuration data. The vendor identified the issue as a classic data\u2011leak scenario (CWE\u2011200), meaning that privileged data can be accessed by attackers with no initial credentials.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% shows that, at the time of analysis, the probability of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the exposed API key grants full access to a merchant\u2019s payment account, an attacker who succeeds could authorize payments, void transactions, or steal financial information. The likely attack vector is remote over the public internet via the exposed 'chapa_proceed' endpoint."}}}}, "created": "2026-02-04T21:18:09.381748+00:00", "updated": "2026-04-22T15:45:20.868595+00:00", "vendors": ["chapaet", "chapaet$PRODUCT$chapa_payment_gateway_plugin_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}