プラットフォーム
wordpress
コンポーネント
woo-rede
修正版
5.1.6
CVE-2026-0942 affects the Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin, a WordPress extension facilitating payments. This vulnerability allows unauthenticated attackers to delete order logs, potentially concealing malicious activity. Versions 0.0.0 through 5.1.5 are vulnerable, and a fix is available in version 5.1.6.
The core impact of CVE-2026-0942 lies in the ability of an attacker to tamper with order logs within a WooCommerce store. By deleting these logs, an attacker can effectively erase evidence of fraudulent transactions or other suspicious activities. This can hinder investigations, complicate dispute resolution, and potentially lead to financial losses for both the store owner and customers. The lack of authentication required to exploit this vulnerability significantly broadens the attack surface, as any unauthenticated user can trigger the log deletion.
CVE-2026-0942 was publicly disclosed on 2026-01-16. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation (unauthenticated access) suggests a potential for rapid exploitation if a PoC is developed. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress e-commerce sites utilizing the Rede Itaú for WooCommerce plugin are at risk, particularly those running older, unpatched versions (0.0.0–5.1.5). Shared hosting environments where plugin updates are managed centrally are also at increased risk if the plugin is not promptly updated.
• wordpress / composer / npm:
grep -r 'clearOrderLogs()' /var/www/html/wp-content/plugins/rede-itau-woocommerce/• wordpress / composer / npm:
wp plugin list | grep 'rede-itau-woocommerce'• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for updates and security advisories related to Rede Itaú for WooCommerce.
disclosure
エクスプロイト状況
EPSS
0.03% (8% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-0942 is to immediately upgrade the Rede Itaú for WooCommerce plugin to version 5.1.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the clearOrderLogs() function. This could involve adding a capability check within the plugin code to ensure that only authorized users (e.g., administrators) can execute this function. Regularly audit your WordPress plugins for vulnerabilities and ensure they are kept up-to-date.
バージョン5.1.6、またはそれ以降の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-0942 is a medium-severity vulnerability in the Rede Itaú for WooCommerce plugin allowing unauthenticated users to delete WooCommerce order logs, potentially masking fraudulent transactions.
Yes, if you are using Rede Itaú for WooCommerce versions 0.0.0 through 5.1.5, you are affected by this vulnerability.
Upgrade the Rede Itaú for WooCommerce plugin to version 5.1.6 or later to remediate the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been confirmed, the ease of exploitation suggests a potential for rapid exploitation if a PoC is developed.
Refer to the plugin developer's website or the WordPress plugin directory for the latest security advisories and updates related to Rede Itaú for WooCommerce.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。