CVE-2026-3208 Overview
CVE-2026-3208 is a missing authorization vulnerability [CWE-862] in the Mercado Pago payments for WooCommerce plugin for WordPress. The flaw affects all plugin versions up to and including 8.7.11. The mp_pix_image WooCommerce API endpoint lacks a capability check, allowing unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes embed sensitive merchant data including PIX keys (which may be CPF or CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references.
Critical Impact
Unauthenticated remote attackers can harvest sensitive merchant and order data, including personal identifiers tied to Brazilian PIX keys, by enumerating orders through an unprotected REST endpoint.
Affected Products
- Mercado Pago payments for WooCommerce plugin for WordPress
- All plugin versions up to and including 8.7.11
- Fixed in version 8.7.12
Discovery Timeline
- 2026-05-06 - CVE-2026-3208 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-3208
Vulnerability Analysis
The vulnerability resides in the PixGateway.php component of the Mercado Pago WooCommerce plugin. The mp_pix_image endpoint serves the QR code image associated with a PIX payment for a given WooCommerce order. The handler does not enforce a WordPress capability check or verify the requester's relationship to the order before returning the image. As a result, any unauthenticated client that can reach the WooCommerce API can request the QR image for an arbitrary order ID.
PIX QR codes are not opaque tokens. They are EMV-compliant payloads that encode the merchant's PIX key, the merchant's name and city, the transaction amount, and a MercadoPago transaction reference. In Brazil, PIX keys frequently map directly to CPF (individual taxpayer ID) or CNPJ (business taxpayer ID) values, which are personal identifiers under LGPD.
Root Cause
The root cause is missing authorization on a public-facing REST endpoint. The endpoint registration in PixGateway.php exposes mp_pix_image without a permission_callback that validates the caller. There is no order ownership check, no nonce validation for unauthenticated callers, and no rate limiting on order ID enumeration.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker iterates order identifiers against the WooCommerce API, requests the mp_pix_image resource for each, and decodes the returned QR codes to extract the embedded PIX payload. Because order IDs in WooCommerce are sequential integers, enumeration is straightforward. The disclosed information can support targeted phishing, merchant impersonation, and aggregation of PII for downstream fraud.
No verified public exploit code is available. See the Wordfence Vulnerability Report and the WooCommerce Plugin Code Reference for technical details.
Detection Methods for CVE-2026-3208
Indicators of Compromise
- High-volume HTTP GET requests to the WooCommerce API path containing mp_pix_image from a single source IP or small set of IPs.
- Sequential or pattern-based order ID parameters in requests to the mp_pix_image endpoint, indicating enumeration.
- Requests to mp_pix_image lacking any authenticated session cookie or X-WP-Nonce header.
- Access to the endpoint from non-customer geographies or hosting provider ASNs not typical for the merchant's customer base.
Detection Strategies
- Parse web server access logs for the mp_pix_image endpoint and alert when request counts exceed a baseline per source IP within a short time window.
- Correlate mp_pix_image access patterns against the order ID space, flagging non-sequential ownership requests originating from a single client.
- Inspect WAF telemetry for unauthenticated requests to WooCommerce REST routes belonging to the Mercado Pago plugin.
Monitoring Recommendations
- Enable verbose logging on the WordPress REST API and forward logs to a centralized SIEM for retention and analytics.
- Track plugin version inventory across all WordPress sites and alert when versions at or below 8.7.11 are detected.
- Monitor outbound notifications from MercadoPago to reconcile transaction references against expected merchant activity.
How to Mitigate CVE-2026-3208
Immediate Actions Required
- Update the Mercado Pago payments for WooCommerce plugin to version 8.7.12 or later on every affected WordPress site.
- Audit recent web server logs for requests to mp_pix_image and identify any unauthorized order data exposure.
- Notify affected customers and merchants if log analysis indicates that PIX QR data was retrieved by unauthorized parties, in line with LGPD obligations.
Patch Information
The vendor addressed the issue in version 8.7.12 of the plugin. The fix is documented in the WooCommerce Plugin Version Change changeset, which adds the missing capability and ownership checks to the mp_pix_image endpoint in PixGateway.php.
Workarounds
- If immediate patching is not possible, deploy a WAF rule that blocks unauthenticated requests to URLs containing mp_pix_image.
- Temporarily disable the PIX payment gateway in the plugin settings until the update is applied.
- Restrict access to the WooCommerce REST API by IP allowlisting at the reverse proxy or CDN layer where feasible.
# Example WAF rule (ModSecurity) to block unauthenticated access to mp_pix_image
SecRule REQUEST_URI "@contains mp_pix_image" \
"id:1026032081,phase:1,deny,status:403,\
msg:'Block unauthenticated access to Mercado Pago mp_pix_image (CVE-2026-3208)',\
chain"
SecRule &REQUEST_HEADERS:Cookie "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
