Description
Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.
Published: 2026-06-17
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Vulnerability allows attackers to bypass the authentication mechanism for the Melhor Envio WordPress plugin, effectively granting them unauthorized access to the plugin’s administrative functions. This breach in authentication control can facilitate the execution of unintended administrative actions, data manipulation, or the introduction of malicious content. The weakness is classified as CWE-288 and indicates a failure to enforce proper authentication and session management.

Affected Systems

Any WordPress installation running the Melhor Envio plugin version 2.16.3 or earlier is vulnerable. The affected product is the Melhor Envio WordPress plugin, specifically versions up to and including 2.16.3, which can be found in WordPress plugin repositories and on sites where the plugin is installed.

Risk and Exploitability

The CVSS score of 7.6 places this vulnerability in the high severity range. At present the EPSS score is not available, and it is not listed in the CISA KEV catalog, indicating no known widespread exploitation data. The typical attack vector is inferred to be remote via the WordPress site’s authentication interface, where an attacker could submit crafted credentials or use session manipulation to gain elevated privileges.

Generated by OpenCVE AI on June 18, 2026 at 12:03 UTC.

Remediation

Vendor Solution

Update the WordPress Melhor Envio Plugin to the latest available version (at least 2.16.4).


OpenCVE Recommended Actions

  • Update the Melhor Envio plugin to version 2.16.4 or later, which contains the authentication fix.
  • If the plugin is not required for business operations, remove or disable it entirely to eliminate the vulnerability surface.
  • Review and enforce tight authentication controls on WordPress admin accounts, including multi‑factor authentication and strict role‑based access for the plugin’s configuration pages.

Generated by OpenCVE AI on June 18, 2026 at 12:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Melhorenvio
Melhorenvio melhor Envio
Wordpress
Wordpress wordpress
Vendors & Products Melhorenvio
Melhorenvio melhor Envio
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.
Title WordPress Melhor Envio plugin <= 2.16.3 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}


Subscriptions

Melhorenvio Melhor Envio
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:35:34.811Z

Reserved: 2026-06-16T09:21:34.477Z

Link: CVE-2026-54804

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:37Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel