Mercado Pago payments for WooCommerce <= 8.7.11 - Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure
Description
The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=8.7.11What Changed in the Fix
Changes introduced in v8.7.12
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-3208 (Mercado Pago PIX QR Code Disclosure) ## 1. Vulnerability Summary The **Mercado Pago payments for WooCommerce** plugin (versions <= 8.7.11) contains a missing authorization vulnerability in its handling of the `mp_pix_image` WooCommerce API endpoint. The …
Show full research plan
Exploitation Research Plan: CVE-2026-3208 (Mercado Pago PIX QR Code Disclosure)
1. Vulnerability Summary
The Mercado Pago payments for WooCommerce plugin (versions <= 8.7.11) contains a missing authorization vulnerability in its handling of the mp_pix_image WooCommerce API endpoint. The plugin registers a callback for the woocommerce_api_mp_pix_image hook to serve PIX payment QR codes. However, this callback fails to implement capability checks or verify order ownership, allowing unauthenticated attackers to view the QR code images for any order by simply providing an order ID. These QR codes contain sensitive merchant PII, including PIX keys (often CPF/CNPJ numbers in Brazil).
2. Attack Vector Analysis
- Endpoint: WooCommerce Custom API Gateway
- URL Pattern:
https://[target]/index.php?wc-api=mp_pix_image - Vulnerable Parameter:
order_id(inferred based on standard WooCommerce gateway patterns) - Authentication: None required (Unauthenticated).
- Preconditions:
- The Mercado Pago plugin must be active.
- At least one order must have been placed using the PIX payment method to generate valid QR code data in the database.
3. Code Flow (Inferred)
- Registration: The plugin registers the API handler via the WooCommerce API hook:
add_action( 'woocommerce_api_mp_pix_image', [ $this, 'mp_pix_image_callback' ] ); - Entry Point: When a request hits
?wc-api=mp_pix_image, the callback (likely inincludes/gateways/class-wc-woocomerce-mercadopago-pix-gateway.phpor similar) is executed. - Processing:
- The code retrieves the
order_idfrom$_GET['order_id']. - It fetches the order object using
wc_get_order( $order_id ). - It retrieves PIX metadata (e.g.,
_mp_order_pix_image_urlor a Base64 string from order meta).
- The code retrieves the
- The Leak (Sink): The function outputs the image content or redirects to the QR code URL without calling
current_user_can( 'view_order', $order_id )or checking if the current session matches the order's customer.
4. Nonce Acquisition Strategy
This vulnerability resides in a WooCommerce API (WC_API) callback. By design, WC_API endpoints are intended for external communication (like webhooks) and do not require WordPress nonces for access.
- Nonce Requirement: None.
- Strategy: Direct unauthenticated HTTP GET requests.
5. Exploitation Strategy
The goal is to retrieve a PIX QR code for an order belonging to another user.
Step-by-Step Plan:
- Discovery: Determine a valid Order ID. In a test environment, this will be the ID of an order placed using PIX.
- Request: Use the
http_requesttool to send a GET request to the vulnerable endpoint. - Analysis: Observe if the response returns an image (Content-Type:
image/pngorimage/jpeg) or a Base64 encoded string containing the PIX data.
Targeted Request:
GET /index.php?wc-api=mp_pix_image&order_id=[TARGET_ORDER_ID] HTTP/1.1
Host: [TARGET_HOST]
Connection: close
6. Test Data Setup
To successfully demonstrate the PoC, the environment must have a PIX order:
- Activate Plugin: Ensure
woocommerce-mercadopagois installed and active. - Configure PIX: Enable the PIX payment method in WooCommerce settings (Mercado Pago).
- Create Order: As a Customer user (User B), place an item in the cart and checkout using the PIX payment method.
- Identify Order ID: Note the ID of this order (e.g.,
123). - Attacker Context: Perform the exploit as an Unauthenticated user (No cookies) attempting to access Order
123.
7. Expected Results
- Successful Exploit: The server returns a 200 OK response with the PIX QR code image data.
- Data Disclosure: The image, when decoded or viewed, contains the PIX payload (EMV QRCPS format), which includes the merchant's PIX key (CPF/CNPJ/Email), transaction amount, and merchant name.
- Vulnerability Confirmation: Access is granted even when the requester has no session cookies and is not the owner of the order.
8. Verification Steps (Post-Exploit)
Confirm the existence of the leaked data in the database using WP-CLI:
# Check if the order actually exists and has PIX meta
wp post get [TARGET_ORDER_ID] --field=post_type # Should be 'shop_order'
wp post meta list [TARGET_ORDER_ID] | grep mp_
9. Alternative Approaches
If order_id is not the correct parameter name, check for:
idordermp_order_id
If the response is a redirect (302), follow the redirect using http_request with max_redirects to see if it points to a sensitive resource on the mercadopago.com CDN that identifies the merchant.
Code Search for the Agent:
Before requesting, the agent should verify the hook registration to confirm the parameter name:
grep -rn "woocommerce_api_mp_pix_image" /var/www/html/wp-content/plugins/woocommerce-mercadopago/
Then locate the function body to see how the ID is pulled from $_GET.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.