Skip to main content

Melhor Envio CVE-2026-54804

| EUVDEUVD-2026-37640 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-17 Patchstack
7.6
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
vuln.today AI
7.6 HIGH

Reachable over the web by any authenticated subscriber (AV:N/AC:L/PR:L/UI:N); broken auth on a shipping action yields partial data exposure and high availability impact on fulfillment.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 11:52 vuln.today

DescriptionCVE.org

Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.

AnalysisAI

Authentication bypass in the Melhor Envio WordPress plugin (versions 2.16.3 and earlier) allows low-privileged subscriber accounts to perform actions they should not be authorized for. With CVSS 7.6 (high) and a CWE-288 classification, the flaw lets any registered WordPress user escalate access against the plugin's restricted endpoints, with no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target site
Delivery
Authenticate to WordPress
Exploit
Send request to vulnerable Melhor Envio endpoint
Execution
Bypass capability check via CWE-288 flaw
Persist
Invoke privileged shipping action
Impact
Exfiltrate order data or disrupt fulfillment

Vulnerability AssessmentAI

Exploitation Exploitation requires the target WordPress site to have the Melhor Envio plugin (melhor-envio-cotacao) installed and active at version 2.16.3 or earlier, and the attacker must hold a valid WordPress account at Subscriber privilege or above (PR:L) - easily obtained on sites with open registration, which is common for WooCommerce storefronts. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H signals network-reachable, low-complexity exploitation by any authenticated user, with a high availability impact and partial confidentiality/integrity loss - a realistic risk on WordPress sites that allow subscriber-level registration (common for WooCommerce stores). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WooCommerce site running Melhor Envio (or compromises an existing low-privileged user), then sends an authenticated HTTP request to a vulnerable plugin endpoint that fails to verify the user's role. The endpoint executes a privileged shipping/quotation action - for example exposing customer order/address data or generating/cancelling shipping labels - yielding information disclosure and disrupting fulfillment.
Remediation Upgrade the Melhor Envio plugin to a version newer than 2.16.3 once the vendor publishes a fixed release (patch availability per Patchstack advisory; released patched version not independently confirmed from the supplied data - verify against the Patchstack URL above before deployment). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress instances running Melhor Envio plugin ≤2.16.3 and document current version deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54804 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy