CVE-2026-0942 is a vulnerability identified in the Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin, a WordPress extension facilitating payment processing via Rede Itaú. The flaw stems from the absence of a capability check on the clearOrderLogs() function, which is responsible for clearing the Rede Order Logs metadata associated with WooCommerce orders. Because this function lacks authentication enforcement, any unauthenticated attacker can invoke it remotely to delete order log data. This deletion compromises the integrity of order records, potentially disrupting financial reconciliation, fraud detection, and audit trails. The vulnerability affects all plugin versions up to and including 5.1.2. The CVSS 3.1 base score is 5.3 (medium), with vector metrics indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), integrity impact (I:L), and no availability impact (A:N). No patches or exploits are currently reported, but the risk exists due to the ease of exploitation and the critical nature of order log data in e-commerce operations. The plugin’s integration with WooCommerce, a widely used e-commerce platform, increases the potential attack surface, especially for merchants using Rede Itaú payment methods. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), highlighting the failure to enforce access controls on sensitive functionality.

For European organizations, particularly e-commerce merchants using WooCommerce integrated with Rede Itaú payment services, this vulnerability poses a risk to the integrity of transactional data. Unauthorized deletion of order logs can hinder order tracking, financial auditing, and fraud investigations, potentially leading to financial discrepancies and loss of customer trust. While the vulnerability does not expose sensitive customer data directly or cause service outages, the manipulation of order metadata can complicate dispute resolution and regulatory compliance, especially under GDPR requirements for data accuracy and integrity. Organizations relying on automated reconciliation or analytics based on order logs may experience operational disruptions. The absence of authentication requirements and the ability to exploit remotely increase the risk of opportunistic attacks. Although no known exploits are reported, the medium severity rating suggests that attackers could leverage this flaw to cover tracks after fraudulent transactions or disrupt business processes.

1. Monitor for plugin updates from the vendor and apply patches promptly once released to address the missing authentication check. 2. In the interim, restrict access to the clearOrderLogs() function by implementing web application firewall (WAF) rules to block unauthorized requests targeting this function or its endpoints. 3. Harden WordPress installations by limiting plugin permissions and using role-based access controls to minimize exposure. 4. Enable detailed logging and alerting on order log deletions or modifications to detect suspicious activity early. 5. Conduct regular audits of WooCommerce order metadata to identify unexpected changes. 6. Consider isolating payment processing components or using network segmentation to reduce attack surface. 7. Educate IT and security teams about this vulnerability to ensure rapid response if exploitation attempts are detected. 8. Review and enhance backup and recovery procedures for order data to mitigate potential data loss from malicious deletions.