CVE-2026-3208
Deferred Deferred - Pending Action
Unauthenticated PIX QR Code Data Exposure in Mercado Pago WooCommerce

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: Wordfence

Description
The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-3208
EUVD
EUVD-2026-27520
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mercado_pago payments_for_woocommerce to 8.7.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Mercado Pago payments for WooCommerce plugin for WordPress has a vulnerability due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to and including 8.7.11.

This flaw allows unauthenticated attackers to access and retrieve PIX payment QR code images for arbitrary orders without authorization.

These PIX QR codes contain sensitive merchant information such as PIX keys (which may include personal identifiers like CPF/CNPJ), transaction amounts, merchant name and city, and MercadoPago transaction references.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive merchant and transaction information.

  • Exposure of PIX keys, which may include personal identifiers (CPF/CNPJ).
  • Leakage of transaction amounts and MercadoPago transaction references.
  • Potential privacy violations due to exposure of merchant name and city.

Such unauthorized access could be exploited for fraud, identity theft, or other malicious activities.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthenticated attackers to access sensitive merchant information including PIX keys, which may contain personal identifiers such as CPF/CNPJ, transaction amounts, merchant name, city, and transaction references.

Exposure of personal identifiers and transaction data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart