Platform
wordpress
Component
woo-rede
Fixed in
5.1.6
CVE-2026-0942 affects the Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin, a WordPress extension facilitating payments. This vulnerability allows unauthenticated attackers to delete order logs, potentially concealing malicious activity. Versions 0.0.0 through 5.1.5 are vulnerable, and a fix is available in version 5.1.6.
The core impact of CVE-2026-0942 lies in the ability of an attacker to tamper with order logs within a WooCommerce store. By deleting these logs, an attacker can effectively erase evidence of fraudulent transactions or other suspicious activities. This can hinder investigations, complicate dispute resolution, and potentially lead to financial losses for both the store owner and customers. The lack of authentication required to exploit this vulnerability significantly broadens the attack surface, as any unauthenticated user can trigger the log deletion.
CVE-2026-0942 was publicly disclosed on 2026-01-16. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation (unauthenticated access) suggests a potential for rapid exploitation if a PoC is developed. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0942 is to immediately upgrade the Rede Itaú for WooCommerce plugin to version 5.1.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the clearOrderLogs() function. This could involve adding a capability check within the plugin code to ensure that only authorized users (e.g., administrators) can execute this function. Regularly audit your WordPress plugins for vulnerabilities and ensure they are kept up-to-date.
Update to version 5.1.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0942 is a medium-severity vulnerability in the Rede Itaú for WooCommerce plugin allowing unauthenticated users to delete WooCommerce order logs, potentially masking fraudulent transactions.
Yes, if you are using Rede Itaú for WooCommerce versions 0.0.0 through 5.1.5, you are affected by this vulnerability.
Upgrade the Rede Itaú for WooCommerce plugin to version 5.1.6 or later to remediate the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been confirmed, the ease of exploitation suggests a potential for rapid exploitation if a PoC is developed.
Refer to the plugin developer's website or the WordPress plugin directory for the latest security advisories and updates related to Rede Itaú for WooCommerce.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.