CVE-2026-3208
Unauthenticated PIX QR Code Data Exposure in Mercado Pago WooCommerce
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercado_pago | payments_for_woocommerce | to 8.7.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Mercado Pago payments for WooCommerce plugin for WordPress has a vulnerability due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to and including 8.7.11.
This flaw allows unauthenticated attackers to access and retrieve PIX payment QR code images for arbitrary orders without authorization.
These PIX QR codes contain sensitive merchant information such as PIX keys (which may include personal identifiers like CPF/CNPJ), transaction amounts, merchant name and city, and MercadoPago transaction references.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive merchant and transaction information.
- Exposure of PIX keys, which may include personal identifiers (CPF/CNPJ).
- Leakage of transaction amounts and MercadoPago transaction references.
- Potential privacy violations due to exposure of merchant name and city.
Such unauthorized access could be exploited for fraud, identity theft, or other malicious activities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to access sensitive merchant information including PIX keys, which may contain personal identifiers such as CPF/CNPJ, transaction amounts, merchant name, city, and transaction references.
Exposure of personal identifiers and transaction data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to the 'mp_pix_image' WooCommerce API endpoint, which allows retrieval of PIX payment QR code images without authentication.
To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the 'mp_pix_image' endpoint. Look for unauthenticated requests attempting to access this API path.
Example commands to detect such activity include using web server logs or network monitoring tools to search for requests containing 'mp_pix_image'. For instance, using grep on Apache or Nginx logs:
- grep 'mp_pix_image' /var/log/apache2/access.log
- grep 'mp_pix_image' /var/log/nginx/access.log
Additionally, you can use network monitoring tools like tcpdump or Wireshark to filter HTTP traffic containing 'mp_pix_image' in the URI.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Mercado Pago payments for WooCommerce plugin to a version later than 8.7.11 where the missing capability check on the 'mp_pix_image' endpoint is fixed.
If updating is not immediately possible, restrict access to the 'mp_pix_image' API endpoint by implementing authentication or firewall rules to block unauthenticated requests.
Monitor your logs for any suspicious access attempts and consider temporarily disabling the Mercado Pago payments plugin until a patch is applied.