The vulnerability identified as CVE-2026-0942 affects the Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin, a WordPress extension facilitating payment processing via Rede Itaú. The root cause is a missing capability check (CWE-306) on the clearOrderLogs() function, which is responsible for clearing order log metadata associated with WooCommerce orders. Because this function lacks proper authentication or authorization controls, any unauthenticated attacker can invoke it remotely to delete critical order log data. This deletion compromises the integrity of order records, potentially disrupting transaction audits, dispute resolution, and financial tracking. The vulnerability affects all plugin versions up to 5.1.2, with no patch currently available as per the provided data. The CVSS v3.1 base score is 5.3 (medium), reflecting the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), integrity impact (I:L), and no availability impact (A:N). No known exploits have been reported in the wild, but the ease of exploitation and potential business impact warrant prompt remediation. The vulnerability is particularly concerning for e-commerce platforms relying on WooCommerce and the Rede Itaú payment gateway, especially in regions where this payment method is prevalent.

The primary impact of this vulnerability is unauthorized modification of order log metadata, which undermines the integrity of transaction records. This can lead to difficulties in auditing transactions, resolving payment disputes, and maintaining accurate financial records. Although confidentiality and availability are not directly affected, the loss or tampering of order logs can disrupt business operations and erode customer trust. Attackers could leverage this flaw to cover tracks after fraudulent transactions or to create confusion in order management processes. Organizations relying on this plugin for payment processing may face regulatory compliance issues if transaction records are altered or deleted. The vulnerability's ease of exploitation without authentication increases the risk of widespread abuse, especially on publicly accessible WooCommerce sites. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate this vulnerability, organizations should first verify if they are using the Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin, particularly versions up to 5.1.2. Immediate steps include restricting access to the WordPress REST API endpoints or plugin functions that expose the clearOrderLogs() functionality, using web application firewalls (WAFs) to block unauthorized requests targeting this function. Administrators should monitor logs for suspicious activity related to order log deletions. If a patch becomes available from the vendor, it should be applied promptly. In the absence of an official patch, consider temporarily disabling or removing the plugin to prevent exploitation. Additionally, implement strict role-based access controls within WordPress to limit plugin management capabilities to trusted users only. Regular backups of WooCommerce order data and logs are essential to recover from any unauthorized deletions. Finally, keep WordPress core and all plugins updated to reduce exposure to similar vulnerabilities.