Order Status Manipulation in Rede Itaú for WooCommerce Plugin by WordPress
CVE-2026-0939
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 16 January 2026
What is CVE-2026-0939?
The Rede Itaú plugin for WooCommerce lacks proper verification of payment callback authenticity, allowing unauthenticated users to falsify order statuses. This vulnerability enables attackers to change unpaid orders to paid or failed statuses, potentially disrupting the e-commerce process and causing significant financial implications for businesses relying on this plugin.
Affected Version(s)
Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit 0 <= 5.1.2