CVE-2026-0939
Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.2 - Unauthenticated Order Status ManipulationThe Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed.
We have discovered 205 live websites that are affected by CVE-2026-0939.
Affected Software
| Product |  Woo Rede |
| Category | Wordpress Plugins |
| Vulnerable Domains | 205 live websites (100% of Woo Rede install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 21 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-345 Insufficient Verification of Data AuthenticityDetails
- Published - Jan 16, 2026
- Updated - Jan 16, 2026
Credits
- Osvaldo Noe Gonzalez Del Rio (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-0939 United States | 19 websites |
 Brazil | 182 websites |
 Germany | 2 websites |
 Cyprus | 1 websites |
 Singapore | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2026-0939| .com.br | 179 websites |
| .com | 13 websites |
| .net | 1 websites |
| .org | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-0939
Top websites that are affected by CVE-2026-0939. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******************.***.br | Brazil | ***,*** | |
| ****.***.br | United States | ***,*** | |
| *********.***.br | Brazil | ***,*** | |
| ****.***.br | Brazil | *,***,*** | |
| ********.***.br | United States | *,***,*** | |
| ****.***.br | Brazil | *,***,*** | |
| ***.***.br | Brazil | *,***,*** | |
| ******************.***.br | Brazil | *,***,*** | |
| ******.***.br | Brazil | *,***,*** | |
| ********.***.br | Brazil | *,***,*** |
FAQ
CVE-2026-0939 is Insufficient Verification of Data Authenticity in Woo Rede
A total of 205 websites have been identified as vulnerable to CVE-2026-0939, based on global website indexing conducted by WebTechSurvey.
The Woo Rede is affected by the CVE-2026-0939 vulnerability.
Woo Rede versions up to and including 5.1.2 are vulnerable to CVE-2026-0939.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/722c666b-913f-4289-82e6-30aa0a3abc2b?source=cve
- https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L45
- https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L460
- https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L710