Refine your search
2 vulnerabilities found for Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit by linknacional
CVE-2026-0939 (GCVE-0-2026-0939)
Vulnerability from cvelistv5
Published
2026-01-16 06:43
Modified
2026-04-08 17:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Summary
The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| linknacional | Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit |
Version: 0 ≤ 5.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T13:57:15.216409Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T13:57:52.515Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rede Ita\u00fa for WooCommerce \u2014 Payment PIX, Credit Card and Debit",
"vendor": "linknacional",
"versions": [
{
"lessThanOrEqual": "5.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Osvaldo Noe Gonzalez Del Rio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rede Ita\u00fa for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:41.932Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/722c666b-913f-4289-82e6-30aa0a3abc2b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L45"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L460"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L710"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3441046/woo-rede/tags/5.1.3/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-01T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-15T18:31:03.000Z",
"value": "Disclosed"
}
],
"title": "Rede Ita\u00fa for WooCommerce \u2014 Payment PIX, Credit Card and Debit \u003c= 5.1.2 - Unauthenticated Order Status Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0939",
"datePublished": "2026-01-16T06:43:20.971Z",
"dateReserved": "2026-01-14T14:06:31.783Z",
"dateUpdated": "2026-04-08T17:00:41.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0942 (GCVE-0-2026-0942)
Vulnerability from cvelistv5
Published
2026-01-16 06:43
Modified
2026-04-08 16:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.5. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| linknacional | Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit |
Version: 0 ≤ 5.1.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T13:58:38.603695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T13:58:49.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rede Ita\u00fa for WooCommerce \u2014 Payment PIX, Credit Card and Debit",
"vendor": "linknacional",
"versions": [
{
"lessThanOrEqual": "5.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Osvaldo Noe Gonzalez Del Rio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rede Ita\u00fa for WooCommerce \u2014 Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.5. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:50:25.135Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4927c060-f2b2-4916-b049-1442bba63e98?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L42"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L58"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-01T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-28T17:25:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-15T18:31:18.000Z",
"value": "Disclosed"
}
],
"title": "Rede Ita\u00fa for WooCommerce \u2014 Payment PIX, Credit Card and Debit \u003c= 5.1.5 - Missing Authorization to Unauthenticated Rede Order Logs Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0942",
"datePublished": "2026-01-16T06:43:20.555Z",
"dateReserved": "2026-01-14T15:02:25.916Z",
"dateUpdated": "2026-04-08T16:50:25.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}