Detection Guidance

This vulnerability involves unauthorized access to the 'mp_pix_image' WooCommerce API endpoint, which allows retrieval of PIX payment QR code images without authentication.

To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the 'mp_pix_image' endpoint. Look for unauthenticated requests attempting to access this API path.

Example commands to detect such activity include using web server logs or network monitoring tools to search for requests containing 'mp_pix_image'. For instance, using grep on Apache or Nginx logs:

• grep 'mp_pix_image' /var/log/apache2/access.log
• grep 'mp_pix_image' /var/log/nginx/access.log

Additionally, you can use network monitoring tools like tcpdump or Wireshark to filter HTTP traffic containing 'mp_pix_image' in the URI.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Mercado Pago payments for WooCommerce plugin to a version later than 8.7.11 where the missing capability check on the 'mp_pix_image' endpoint is fixed.

If updating is not immediately possible, restrict access to the 'mp_pix_image' API endpoint by implementing authentication or firewall rules to block unauthenticated requests.

Monitor your logs for any suspicious access attempts and consider temporarily disabling the Mercado Pago payments plugin until a patch is applied.

Useful 0 Not Useful 0

Executive Summary

The Mercado Pago payments for WooCommerce plugin for WordPress has a vulnerability due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to and including 8.7.11.

This flaw allows unauthenticated attackers to access and retrieve PIX payment QR code images for arbitrary orders without authorization.

These PIX QR codes contain sensitive merchant information such as PIX keys (which may include personal identifiers like CPF/CNPJ), transaction amounts, merchant name and city, and MercadoPago transaction references.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive merchant and transaction information.

• Exposure of PIX keys, which may include personal identifiers (CPF/CNPJ).
• Leakage of transaction amounts and MercadoPago transaction references.
• Potential privacy violations due to exposure of merchant name and city.

Such unauthorized access could be exploited for fraud, identity theft, or other malicious activities.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive merchant information including PIX keys, which may contain personal identifiers such as CPF/CNPJ, transaction amounts, merchant name, city, and transaction references.

Exposure of personal identifiers and transaction data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.

Useful 0 Not Useful 0