Rede Itaú for WooCommerce Payment PIX Credit Card and Debit Missing Authorization Vulnerability

A vulnerability exists in the Rede Itaú for WooCommerce Payment PIX, Credit Card and Debit plugin, affecting all versions up to and including 5.1.2. The issue arises from a lack of proper capability checks in the clearOrderLogs() function, allowing unauthenticated attackers to delete Rede Order Logs metadata from all WooCommerce orders.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of order log metadata, which could disrupt order management and transaction records.

Reproduction

The vulnerability can be reproduced by sending a DELETE request to the '/redeIntegration/clearOrderLogs' endpoint without authentication. This request will remove the 'lknWcRedeOrderLogs' metadata from all WooCommerce orders.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.