Mercado Pago payments for WooCommerce
Moderate fix1 remedy
cpe:2.3:a:mercadopago:mercado_pago_payments_for_woocommerce:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 8.7.11
Mercado Pago Payments for WooCommerce Missing Authorization Vulnerability Allowing Unauthenticated Data Access
Vulnerability
Patched
A vulnerability exists in the Mercado Pago payments for WooCommerce plugin for WordPress, specifically in versions through 8.7.11. The issue arises from a missing capability check on the 'mp_pix_image' WooCommerce API endpoint, which allows unauthenticated attackers to access PIX payment QR code images for any order. These QR codes contain sensitive merchant information, including PIX keys (potentially linked to personal identifiers), transaction amounts, merchant details, and MercadoPago transaction references.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive merchant information, including personal identifiers, transaction details, and payment references.
Remediation
Users are advised to update the plugin to version 8.7.12 or a newer patched version.
Added: May 6, 2026, 4:19 AM
Updated: May 6, 2026, 4:19 AM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
2.5exploitability
8.2remediation
7.7relevance
7.6threat
3.2urgency
2.9incentive
4.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.