WordPress Plugin Vulnerabilities

Mercado Pago payments for WooCommerce < 8.7.12 - Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure

Description

The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references.

Affects Plugins

Plugin icon
woocommerce-mercadopago
Fixed in 8.7.12

References

CVE
CVE-2026-3208
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/986e0252-b94d-4ac8-9083-0218fa8a651e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Muhammad Sharief
Verified
No
WPVDB ID
3a5a7e19-3a87-4a03-b321-4cb99ddf2945

Timeline

Publicly Published
2026-05-05 (about 19 days ago)
Added
2026-05-05 (about 19 days ago)
Last Updated
2026-05-06 (about 19 days ago)

Other

Published
Title
Published
2025-12-07
Title
Yandex.Metrica <= 1.2.2 - Missing Authorization
Published
2025-10-21
Title
Persian Admnin Fonts < 4.1.05 - Missing Authorization
Published
2024-11-12
Title
Kognetiks Chatbot for WordPress < 2.1.8 - Missing Authorization to Authenticated (Subscriber+) Assistant Deletion
Published
2024-12-24
Title
WooCommerce Point of Sale < 6.2.0 - Insecure Direct Object Reference to Privilege Escalation via Arbitrary User Email Change
Published
2023-09-12
Title
WPvivid Backup Plugin < 0.9.91 - Missing Authorization via 'start_staging' and 'get_staging_progress'