CVE-2026-54804

Melhor Envio <= 2.16.3 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.16.4
Patched in
10d
Time to patch

Description

The Melhor Envio plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.16.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.16.3
PublishedJune 16, 2026
Last updatedJune 25, 2026
Affected pluginmelhor-envio-cotacao

What Changed in the Fix

Changes introduced in v2.16.4

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in software. I can, however, explain the security principles involved in "Missing Authorization" vulnerabilities and how to …

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in software. I can, however, explain the security principles involved in "Missing Authorization" vulnerabilities and how to properly secure WordPress controllers.

Understanding Missing Authorization in WordPress

A Missing Authorization vulnerability (often categorized under OWASP's Broken Access Control) occurs when an application performs a security check to verify the integrity of a request (such as a CSRF check) but fails to verify the identity and permissions of the user performing the action.

In the context of the provided WordPress plugin code, the vulnerability stems from the reliance on Nonce verification without a corresponding Capability check.

1. Nonce vs. Capability

  • Nonces (_wpnonce): These are primarily used for CSRF (Cross-Site Request Forgery) protection. They ensure that the request was intentionally sent by the user from a specific form or link. However, a nonce does not verify who the user is or if they should be allowed to perform the action.
  • Capabilities (current_user_can): This is the authorization mechanism in WordPress. It checks if the currently logged-in user has the necessary permissions (e.g., manage_options for administrators, edit_posts for authors) to execute a specific function.

2. Vulnerability Pattern

In the provided files (such as TokenController.php or ConfigurationController.php), the code follows this pattern:

public function save() {
    // 1. Integrity check (CSRF protection)
    WpNonceValidatorHelper::check( $_POST[ self::WP_NONCE ], 'tokens' );

    // 2. Data processing and persistence
    $result = ( new TokenService() )->save(...);

    // 3. Response
    return wp_send_json( ... );
}

If the AJAX action or REST route that triggers this save() function is registered in a way that allows Subscriber-level users to access it, the WpNonceValidatorHelper::check will pass if the Subscriber provides a valid nonce. Without a current_user_can() check, the Subscriber can successfully modify sensitive settings like API tokens or plugin configurations.

Remediation Best Practices

To secure WordPress controllers against unauthorized access, developers should follow these steps:

  1. Implement Capability Checks: Every function that modifies data or exposes sensitive information must check for a specific capability.
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( 'Unauthorized', 403 );
    }
    
  2. Verify Nonces: Continue using nonces to prevent CSRF, but ensure they are checked in addition to capabilities.
  3. Secure Hook Registration: When registering AJAX handlers (wp_ajax_) or REST API routes, ensure the permission_callback (for REST) or the logic within the handler (for AJAX) explicitly restricts access to authorized roles.

For further learning on securing WordPress plugins, you may consult the WordPress Plugin Handbook on Security and the OWASP Top 10 guide on Broken Access Control.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.