Description
The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed.
Published: 2026-01-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Order Status Manipulation
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Rede Itaú for WooCommerce plugin, where callbacks from the payment gateway are not authenticated. An attacker can send arbitrary requests to modify a WooCommerce order status, marking unpaid orders as paid or causing paid orders to appear failed. This compromises the integrity of the sales ledger and could lead to revenue loss or refunds.

Affected Systems

The affected software is the Rede Itaú for WooCommerce plugin for WordPress, versions up to and including 5.1.2. No other products or vendors are listed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, but the EPSS score of less than 1% shows low probability of exploitation. The vulnerability is not currently in the CISA KEV catalog. Attackers do not require authentication and can trigger the flaw by sending crafted callbacks to the plugin's endpoint, directly changing order states.

Generated by OpenCVE AI on April 15, 2026 at 19:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Rede Itaú plugin to version 5.1.3 or later to apply the vendor fix.
  • Restrict access to the plugin’s callback endpoint by configuring WordPress or the web server to accept requests only from known IP addresses or by using authentication tokens.
  • Audit existing orders for inconsistencies and revert any status changes that were not authorized by legitimate payment confirmations.

Generated by OpenCVE AI on April 15, 2026 at 19:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Linknacional
Linknacional rede Itau For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Linknacional
Linknacional rede Itau For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed.
Title Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.2 - Unauthenticated Order Status Manipulation
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Linknacional Rede Itau For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:41.932Z

Reserved: 2026-01-14T14:06:31.783Z

Link: CVE-2026-0939

cve-icon Vulnrichment

Updated: 2026-01-16T13:57:47.874Z

cve-icon NVD

Status : Deferred

Published: 2026-01-16T07:15:56.840

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:15:12Z

Weaknesses