Security Alert Summary
The Pix para Woocommerce WordPress plugin through 2.13.3 contains a vulnerability that allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. Authenticated users (including low-privilege roles such as subscribers) can clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality.
CVE Details
- CVE ID:
CVE-2025-15400 - Affected component: Pix para Woocommerce WordPress plugin
- Affected versions: through 2.13.3 (up to and including 2.13.3)
- Published: February 11, 2026 at 6:15:47 AM (UTC)
- Last modified: February 11, 2026 at 3:27:26 PM (UTC)
- CVSS v3.1 base score / severity / vector: Not specified in this CVE entry
- Authentication / privileges / user interaction: An authenticated user can trigger the vulnerable AJAX actions; no capability or nonce checks are performed according to the description
- Primary impact:
- Confidentiality: Not explicitly stated (no direct data exposure specified)
- Integrity: Configuration integrity affected — payment gateway options, API credentials, and webhook status can be reset or cleared
- Availability: Payment functionality (OpenPix) can experience persistent disruption
- CWE / weakness ID: Not specified in this CVE entry
Technical Details
The plugin allows authenticated users to invoke AJAX actions that reset payment gateway configuration options without performing capability checks or verifying nonces. Because these AJAX endpoints lack required authorization and request validation, any authenticated account that can reach those AJAX actions can trigger resets of configuration data.
The description specifically notes missing capability and nonce checks for the AJAX actions; no named functions or REST API endpoints are provided in the CVE entry. The immediate technical consequence is that API credentials and webhook status can be cleared by an authenticated actor, leading to persistent interruption of OpenPix payment processing until configuration is restored.
How This Could Impact Your Website
Consider a site with multiple user types: a site owner (administrator), several internal staff members with editor or author roles, and external contributors or subscribers. If a low-privilege authenticated account (for example, a subscriber or external contributor) triggers the vulnerable AJAX actions, API credentials and webhook configuration used for OpenPix payments may be cleared. That can stop payment processing for customers, cause failed transactions, and require administrative effort to identify and restore correct settings.
Practical consequences include increased support requests from customers, delayed or lost payments, and a higher risk of targeted phishing or social engineering if billing or webhook notifications are disrupted. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available (not specified in this CVE entry).
- Review and reduce unnecessary user roles, especially contributors and subscribers who do not require authenticated access to admin-facing functionality.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior related to plugin configuration changes or AJAX requests.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
