Unauthorized Data Access in Mercado Pago Payments Plugin for WordPress
CVE-2026-3208

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Mercado Pago Payments For WooCommerce
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-3208?

The Mercado Pago payments plugin for WooCommerce is susceptible to unauthorized data access due to a lack of capability checks on the 'mp_pix_image' API endpoint. This vulnerability allows attackers to exploit the WooCommerce plugin across all versions up to 8.7.11, potentially retrieving sensitive PIX payment QR code images associated with any order. These QR codes can reveal critical merchant information, including PIX keys, which may contain CPF/CNPJ personal identifiers, transaction amounts, and merchant details. This issue emphasizes the necessity for robust security practices in payment processing plugins to protect sensitive data against unauthorized queries.

Affected Version(s)

Mercado Pago payments for WooCommerce 0 <= 8.7.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woocommerce-me...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Feb 25, 2026

Credit

Muhammad Sharief

CVE-2026-3208 Data

JSON