Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0939

CVE-2026-0939: Rede Itaú WooCommerce Auth Bypass Flaw

CVE-2026-0939 is an authentication bypass flaw in the Rede Itaú for WooCommerce plugin that allows attackers to manipulate order statuses without authentication. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-0939 Overview

The Rede Itaú for WooCommerce plugin for WordPress contains an insufficient data authenticity verification flaw in all versions through 5.1.2. The plugin fails to verify the authenticity of incoming payment callbacks at the WooCommerce endpoint handler. Unauthenticated attackers can manipulate WooCommerce order statuses by forging callback requests, marking unpaid orders as paid or flipping completed orders to failed. The issue is tracked under CWE-345: Insufficient Verification of Data Authenticity and was fixed in version 5.1.3.

Critical Impact

Attackers can fraudulently mark unpaid WooCommerce orders as paid, enabling theft of goods or services from merchants using the Rede Itaú payment integration.

Affected Products

  • Rede Itaú for WooCommerce plugin for WordPress, all versions up to and including 5.1.2
  • WooCommerce stores integrating the woo-rede plugin for Itaú payment processing
  • Fixed in version 5.1.3

Discovery Timeline

  • 2026-01-16 - CVE-2026-0939 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2026-0939

Vulnerability Analysis

The vulnerability resides in the plugin's payment callback endpoint, implemented in LknIntegrationRedeForWoocommerceWcEndpoint.php. The endpoint receives notifications about payment status changes from the Rede payment gateway and updates the corresponding WooCommerce order accordingly. The handler does not authenticate the source of these callbacks, nor does it verify a shared secret, signature, or HMAC on the payload.

An attacker who knows or guesses a valid order identifier can submit a crafted HTTP request to the callback URL and assert an arbitrary payment state. WooCommerce then transitions the order to that state without further validation. Because the endpoint is reachable over the network with no authentication and no user interaction, exploitation is straightforward against any exposed store running the plugin.

This is a business logic and authenticity verification failure rather than a memory or injection flaw. The integrity impact is limited to order status data, but the financial consequence for merchants can be significant when fraudulent "paid" statuses trigger fulfillment workflows.

Root Cause

The root cause is the absence of cryptographic verification on inbound webhook traffic. The endpoint trusts request parameters such as order ID and payment state at face value. Secure payment gateway integrations typically validate a signed payload or verify the request origin against the gateway's published IP ranges or certificate. Neither control is present in vulnerable versions. See the WordPress plugin source for the vulnerable endpoint handler.

Attack Vector

Exploitation is performed over the network against the public WooCommerce REST callback URL. An unauthenticated attacker sends an HTTP request referencing a target order identifier and the desired status. No credentials, session, or user interaction are required. Order identifiers can be enumerated or harvested from public order confirmation pages, abandoned cart emails, or guessing sequential IDs. The vulnerability mechanism is described above in prose; no verified proof-of-concept code is published in the referenced advisories.

Detection Methods for CVE-2026-0939

Indicators of Compromise

  • Unexpected WooCommerce order status transitions from pending or on-hold directly to processing or completed without a matching gateway transaction record.
  • Multiple POST requests to the plugin's Rede callback endpoint originating from IP addresses outside Itaú/Rede's published gateway ranges.
  • Orders marked as paid in WooCommerce with no corresponding settlement entry in the Itaú merchant portal.
  • Repeated callback requests targeting sequential or enumerated order IDs within short time windows.

Detection Strategies

  • Reconcile WooCommerce order status changes against the authoritative Itaú/Rede settlement reports daily and alert on mismatches.
  • Log all requests to the woo-rede callback URL and correlate request source IPs against the payment processor's documented webhook origin ranges.
  • Apply web application firewall rules that inspect callback requests for missing or invalid signature parameters.

Monitoring Recommendations

  • Enable WooCommerce order audit logging and forward events to a centralized SIEM or data lake for correlation with gateway logs.
  • Monitor for spikes in callback endpoint traffic, particularly outside normal customer purchase patterns.
  • Track fulfillment actions triggered by order status changes and flag those that lack a corresponding verified payment record.

How to Mitigate CVE-2026-0939

Immediate Actions Required

  • Update the Rede Itaú for WooCommerce plugin to version 5.1.3 or later on every WordPress site that runs it.
  • Audit recent orders for status transitions that lack a matching Itaú settlement record and reverse fraudulent fulfillments.
  • Restrict access to the plugin callback endpoint at the WAF or reverse proxy layer to the payment processor's published IP ranges where feasible.

Patch Information

The vendor addressed the flaw in version 5.1.3 of the woo-rede plugin. The fix is documented in the WordPress plugin changeset 3441046 and analyzed in the Wordfence vulnerability record. Administrators should apply the update through the WordPress plugin manager or by deploying the patched release manually.

Workarounds

  • If immediate patching is not possible, disable the Rede Itaú for WooCommerce plugin and switch to an alternate verified payment integration until the update can be applied.
  • Block public access to the plugin's callback endpoint with allowlist rules at the WAF or web server, permitting only Itaú/Rede source IPs.
  • Hold all new orders in a manual review queue and verify payment receipt in the Itaú merchant portal before fulfillment.
bash
# Example nginx allowlist for the Rede callback endpoint
location ~ /wc-api/LknIntegrationRedeForWoocommerceWcEndpoint {
    allow 200.0.0.0/8;   # Replace with documented Itau/Rede webhook ranges
    deny all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne