vulnerability

WordPress Plugin: woo-rede: CVE-2026-0939: Insufficient Verification of Data Authenticity

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:P/A:N)	Jan 15, 2026	Jan 20, 2026	Jan 20, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

Jan 15, 2026

Added

Jan 20, 2026

Modified

Jan 20, 2026

Description

The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed.

Solution

woo-rede-plugin-cve-2026-0939

References

URL-https://www.cve.org/CVERecord?id=CVE-2026-0939
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/722c666b-913f-4289-82e6-30aa0a3abc2b?source=api-prod
CVE-2026-0939
https://attackerkb.com/topics/CVE-2026-0939
CWE-345

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today