The exposed API key ID and secret allows attackers to carry out transactions without the knowledge of the app owners.

“This is a serious threat as it can be abused by anyone who gets access to this information,” researchers said in their blog post. “If an attacker gets hold of these details, he/she can easily perform fraudulent transactions on behalf of any user whose payment information has been leaked due to this vulnerability
https://t.co/Sb0nRFGoJg