CVE-2026-3208

The CVE 2026-3208 entry concerns the Mercado Pago payments for WooCommerce plugin for WordPress. A missing capability check on the mp_pix_image endpoint allows unauthenticated access to PIX payment QR code images for arbitrary orders in all versions up to 8.7.11. The PIX QR codes expose sensitive...

CVE-2026-3208 Mercado Pago payments for WooCommerce <= 8.7.11 - Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure

The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mppiximage' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve...

WordPress plugin Mercado Pago payments for WooCommerce 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

PT-2026-37341

The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp pix image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrie...

WordPress Mercado Pago payments for WooCommerce plugin <= 8.7.11 - Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure vulnerability

Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure vulnerability discovered by Muhammad Sharief in WordPress Plugin Mercado Pago payments for WooCommerce versions = 8.7.11...

EUVD-2020-18402

Malware in sbrugna...

EUVD-2024-32501

Malicious code in bioql PyPI...

EUVD-2022-47989

Malicious code in bioql PyPI...

CVE-2025-9885 MPWizard – Create Mercado Pago Payment Links <= 1.2.1 - Cross-Site Request Forgery to Arbitrary Post Deletion

The MPWizard – Create Mercado Pago Payment Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation in the '/includes/admin/class-mpwizard-table.php' file. This makes it possible for...

PT-2025-40505

Name of the Vulnerable Software and Affected Versions MPWizard – Create Mercado Pago Payment Links plugin for WordPress versions prior to 1.2.2 Description The software is susceptible to Cross-Site Request Forgery, allowing unauthenticated attackers to delete arbitrary posts. This is possible due...

CVE-2024-3934

The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to Path Traversal in versions 7.3.0 to 7.5.1 via the mercadopagoDownloadLog function. This makes it possible for authenticated attackers, with subscriber-level access and above, to download and read the contents of...

CVE-2022-45068

Cross-Site Request Forgery CSRF vulnerability in Mercado Pago Mercado Pago payments for WooCommerce plugin = 6.3.1...

CVE-2020-25751

The paGO Commerce plugin 2.5.9.0 for Joomla! allows SQL Injection via the administrator/index.php?option=compago=comments filterpublished parameter...

CVE-2024-12467

The Pago por Redsys plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'DsMerchantParameters' parameter in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2024-12467

The Pago por Redsys plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'DsMerchantParameters' parameter in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2024-12467 Pago por Redsys <= 1.0.12 - Reflected Cross-Site Scripting

The Pago por Redsys plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'DsMerchantParameters' parameter in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2024-12467

CVE-2024-12467: Pago por Redsys WordPress plugin has a reflected XSS in Ds_MerchantParameters affecting all versions up to 1.0.12. Exploitation is unauthenticated; user action (e.g., clicking a link) triggers script execution. The issue is addressed in a subsequent release (1.0.13 per changelog),...

CVE-2024-12467 Pago por Redsys <= 1.0.12 - Reflected Cross-Site Scripting

The Pago por Redsys plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'DsMerchantParameters' parameter in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

WordPress plugin Pago por Redsys 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

WordPress Pago por Redsys plugin <= 1.0.12 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by José Aguilera in WordPress Plugin Pago por Redsys versions = 1.0.12...