Home

Description

The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed.

PUBLISHED Reserved 2026-01-14 | Published 2026-01-16 | Updated 2026-01-16 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-345 Insufficient Verification of Data Authenticity

Product status

Default status
unaffected

* (semver)
affected

Timeline

2026-01-01:Discovered
2026-01-15:Disclosed

Credits

Osvaldo Noe Gonzalez Del Rio finder

References

www.wordfence.com/...-913f-4289-82e6-30aa0a3abc2b?source=cve

plugins.trac.wordpress.org/...deForWoocommerceWcEndpoint.php

plugins.trac.wordpress.org/...deForWoocommerceWcEndpoint.php

plugins.trac.wordpress.org/...deForWoocommerceWcEndpoint.php

cve.org (CVE-2026-0939)

nvd.nist.gov (CVE-2026-0939)

Download JSON