Search

Find a vulnerability

Search criteria

    4 vulnerabilities by melhorenvio

    CVE-2026-54804 (GCVE-0-2026-54804)

    Vulnerability from nvd – Published: 2026-06-17 09:51 – Updated: 2026-06-17 15:35
    VLAI
    Title
    WordPress Melhor Envio plugin <= 2.16.3 - Broken Authentication vulnerability
    Summary
    Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    References
    Impacted products
    Vendor Product Version
    melhorenvio Melhor Envio Affected: n/a , ≤ 2.16.3 (custom)
    Create a notification for this product.
    Credits
    HieuPenguinnn | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54804",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T15:20:17.020324Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T15:35:34.811Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "melhor-envio-cotacao",
              "product": "Melhor Envio",
              "vendor": "melhorenvio",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.16.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.16.3",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "HieuPenguinnn | Patchstack Bug Bounty Program"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Subscriber Broken Authentication in Melhor Envio \u003c= 2.16.3 versions."
                }
              ],
              "value": "Subscriber Broken Authentication in Melhor Envio \u003c= 2.16.3 versions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-50",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-50 Password Recovery Exploitation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-17T09:51:43.493Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/melhor-envio-cotacao/vulnerability/wordpress-melhor-envio-plugin-2-16-3-broken-authentication-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update the WordPress Melhor Envio Plugin to the latest available version (at least 2.16.4)."
                }
              ],
              "value": "Update the WordPress Melhor Envio Plugin to the latest available version (at least 2.16.4)."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Melhor Envio plugin \u003c= 2.16.3 - Broken Authentication vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-54804",
        "datePublished": "2026-06-17T09:51:43.493Z",
        "dateReserved": "2026-06-16T09:21:34.477Z",
        "dateUpdated": "2026-06-17T15:35:34.811Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13820 (GCVE-0-2024-13820)

    Vulnerability from nvd – Published: 2025-04-08 04:21 – Updated: 2026-04-08 17:14
    VLAI
    Title
    Melhor Envio <= 2.15.11 - Unauthenticated Sensitive Information Exposure via Hardcoded Hash
    Summary
    The Melhor Envio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.15.11 via the 'run' function, which uses a hardcoded hash. This makes it possible for unauthenticated attackers to extract sensitive data including environment information, plugin tokens, shipping configurations, and limited vendor information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    melhorenvio Melhor Envio Affected: 0 , ≤ 2.15.11 (semver)
    Create a notification for this product.
    Credits
    Luciano Hanna
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13820",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-08T14:21:37.580215Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-08T15:59:40.647Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Melhor Envio",
              "vendor": "melhorenvio",
              "versions": [
                {
                  "lessThanOrEqual": "2.15.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Luciano Hanna"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Melhor Envio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.15.11 via the \u0027run\u0027 function, which uses a hardcoded hash. This makes it possible for unauthenticated attackers to extract sensitive data including environment information, plugin tokens, shipping configurations, and limited vendor information."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:14:02.878Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8f093bc-5cd3-41a0-b86b-d00338334d2e?source=cve"
            },
            {
              "url": "https://github.com/melhorenvio/wp-melhorenvio-v2/blob/6e2f5bb01c536df9fc84534eb8a27ec99d9601af/Services/TestService.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/melhor-envio-cotacao/trunk/Services/TestService.php#L20"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/melhor-envio-cotacao/trunk/Services/TestService.php#L30"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3274912/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-07T15:53:14.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Melhor Envio \u003c= 2.15.11 - Unauthenticated Sensitive Information Exposure via Hardcoded Hash"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13820",
        "datePublished": "2025-04-08T04:21:29.674Z",
        "dateReserved": "2025-01-31T19:39:18.173Z",
        "dateUpdated": "2026-04-08T17:14:02.878Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54804 (GCVE-0-2026-54804)

    Vulnerability from cvelistv5 – Published: 2026-06-17 09:51 – Updated: 2026-06-17 15:35
    VLAI
    Title
    WordPress Melhor Envio plugin <= 2.16.3 - Broken Authentication vulnerability
    Summary
    Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    References
    Impacted products
    Vendor Product Version
    melhorenvio Melhor Envio Affected: n/a , ≤ 2.16.3 (custom)
    Create a notification for this product.
    Credits
    HieuPenguinnn | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54804",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T15:20:17.020324Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T15:35:34.811Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "melhor-envio-cotacao",
              "product": "Melhor Envio",
              "vendor": "melhorenvio",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.16.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.16.3",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "HieuPenguinnn | Patchstack Bug Bounty Program"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Subscriber Broken Authentication in Melhor Envio \u003c= 2.16.3 versions."
                }
              ],
              "value": "Subscriber Broken Authentication in Melhor Envio \u003c= 2.16.3 versions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-50",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-50 Password Recovery Exploitation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-17T09:51:43.493Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/melhor-envio-cotacao/vulnerability/wordpress-melhor-envio-plugin-2-16-3-broken-authentication-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update the WordPress Melhor Envio Plugin to the latest available version (at least 2.16.4)."
                }
              ],
              "value": "Update the WordPress Melhor Envio Plugin to the latest available version (at least 2.16.4)."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Melhor Envio plugin \u003c= 2.16.3 - Broken Authentication vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-54804",
        "datePublished": "2026-06-17T09:51:43.493Z",
        "dateReserved": "2026-06-16T09:21:34.477Z",
        "dateUpdated": "2026-06-17T15:35:34.811Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13820 (GCVE-0-2024-13820)

    Vulnerability from cvelistv5 – Published: 2025-04-08 04:21 – Updated: 2026-04-08 17:14
    VLAI
    Title
    Melhor Envio <= 2.15.11 - Unauthenticated Sensitive Information Exposure via Hardcoded Hash
    Summary
    The Melhor Envio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.15.11 via the 'run' function, which uses a hardcoded hash. This makes it possible for unauthenticated attackers to extract sensitive data including environment information, plugin tokens, shipping configurations, and limited vendor information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    melhorenvio Melhor Envio Affected: 0 , ≤ 2.15.11 (semver)
    Create a notification for this product.
    Credits
    Luciano Hanna
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13820",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-08T14:21:37.580215Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-08T15:59:40.647Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Melhor Envio",
              "vendor": "melhorenvio",
              "versions": [
                {
                  "lessThanOrEqual": "2.15.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Luciano Hanna"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Melhor Envio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.15.11 via the \u0027run\u0027 function, which uses a hardcoded hash. This makes it possible for unauthenticated attackers to extract sensitive data including environment information, plugin tokens, shipping configurations, and limited vendor information."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:14:02.878Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8f093bc-5cd3-41a0-b86b-d00338334d2e?source=cve"
            },
            {
              "url": "https://github.com/melhorenvio/wp-melhorenvio-v2/blob/6e2f5bb01c536df9fc84534eb8a27ec99d9601af/Services/TestService.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/melhor-envio-cotacao/trunk/Services/TestService.php#L20"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/melhor-envio-cotacao/trunk/Services/TestService.php#L30"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3274912/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-07T15:53:14.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Melhor Envio \u003c= 2.15.11 - Unauthenticated Sensitive Information Exposure via Hardcoded Hash"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13820",
        "datePublished": "2025-04-08T04:21:29.674Z",
        "dateReserved": "2025-01-31T19:39:18.173Z",
        "dateUpdated": "2026-04-08T17:14:02.878Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }