What the vulnerability does
01Description
The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references.
Explanation of Vulnerability in Simple Terms
02Summary
The Mercado Pago Payments for WooCommerce plugin through version 8.7.11 fails to properly check user permissions before allowing access to sensitive payment data. An unauthenticated attacker can read payment information without authorization. Update to a version newer than 8.7.11 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read payment and transaction data without logging in.
Potential impact on your site
04Site Impact
Customer payment information may be exposed to unauthorized parties.
Conditions required to exploit
05Prerequisites
Network access to the WooCommerce site; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 6, 2026
CVE published
May 6, 2026
Record updated