PT-2026-37341 · WordPress · Mercado Pago Payments For Woocommerce
Muhammad Sharief
·
Published
2026-05-06
·
Updated
2026-05-06
·
CVE-2026-3208
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Mercado Pago payments for WooCommerce versions prior to 8.7.12
Description
The Mercado Pago payments for WooCommerce plugin for WordPress allows unauthorized access to data because of a missing capability check on the 'mp pix image' API endpoint. This allows unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. These images contain sensitive merchant information, including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name, city, and MercadoPago transaction references.
Recommendations
Update the plugin to a version later than 8.7.11.
As a temporary workaround, restrict access to the 'mp pix image' API endpoint to minimize the risk of exploitation.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mercado Pago Payments For Woocommerce