Rede Itaú for WooCommerce Order Status Manipulation Vulnerability

A vulnerability exists in the Rede Itaú for WooCommerce plugin for WordPress, specifically in versions through 5.1.2. The issue arises from inadequate verification of payment data authenticity, allowing unauthenticated attackers to manipulate WooCommerce order statuses. This could involve incorrectly marking unpaid orders as paid or failed.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of WooCommerce order statuses, potentially leading to financial discrepancies and order fulfillment issues.

Reproduction

To reproduce this vulnerability, send a payment callback to the WooCommerce site using the 'redePixListener' endpoint. This can be done by simulating a payment notification that includes a transaction ID and an event indicating a payment update. The absence of proper authentication checks in the plugin will allow the callback to be accepted and processed, resulting in an unauthorized status change on the associated order.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.