CVE-2026-0942

MEDIUM

Rede Itaú for WooCommerce <5.1.2 - Auth Bypass

Title source: llm

Description

The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.2. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders.

References (3)

[Product] https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L42

[Product] https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L58

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/4927c060-f2b2-4916-b049-1442bba63e98?source=cve

Scores

CVSS v3 5.3

EPSS 0.0003

EPSS Percentile 8.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-306

Status draft

Timeline

Published Jan 16, 2026

Tracked Since Feb 18, 2026