cleantalk
Vulnerabilities and Security Researches

Mercado Pago payments for WooCommerce, CVE-2026-3208

CVE, Research URL

CVE-2026-3208

Home page URL

Security reports for Mercado Pago payments for WooCommerce

Application

Mercado Pago payments for WooCommerce

Published on
May 06, 2026
Research Description
The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references.
Affected versions
max 8.7.12.
Status
vulnerable
Previous vulnerability researches
Mercado Pago payments for WooCommerce (CVE-2022-45068) , Jun 07, 2024
Mercado Pago payments for WooCommerce (41b175013b292edd03143070e2e9a0f6ba91a9e0) , Jun 07, 2024
Mercado Pago payments for WooCommerce (CVE-2026-3208) , May 07, 2026
Mercado Pago payments for WooCommerce (CVE-2024-3934) , Jul 21, 2024
New vulnerability
Ditty – Responsive News Tickers, Sliders, and Lists (CVE-2026-9011) , May 24, 2026
GSheet For Woo Importer (CVE-2026-4843) , May 24, 2026
Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint (CVE-2026-27349) , May 24, 2026
Location Weather – Best Weather Forecast Widget Plugin for WordPress (CVE-2026-7249) , May 24, 2026
Hotel Booking Lite (CVE-2026-8684) , May 24, 2026