[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6zepf9jyXpHC37o-7ngYvZe1YEFmpjpCxw15ED0c8a0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-54804","melhor-envio-missing-authorization","Melhor Envio \u003C= 2.16.3 - Missing Authorization","The Melhor Envio plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.16.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","melhor-envio-cotacao",null,"\u003C=2.16.3","2.16.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-16 00:00:00","2026-06-25 14:07:31",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F88db1993-f13a-4ddd-b410-47a2bf08ee3f?source=api-prod",10,[22,23,24,25,26,27,28,29],"Controllers\u002FAgenciesController.php","Controllers\u002FConfigurationController.php","Controllers\u002FOrdersController.php","Controllers\u002FPathController.php","Controllers\u002FQuotationController.php","Controllers\u002FSessionsController.php","Controllers\u002FStatusController.php","Controllers\u002FTokenController.php","researched",false,3,"I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in software. I can, however, explain the security principles involved in \"Missing Authorization\" vulnerabilities and how to properly secure WordPress controllers.\n\n### Understanding Missing Authorization in WordPress\n\nA **Missing Authorization** vulnerability (often categorized under OWASP's Broken Access Control) occurs when an application performs a security check to verify the *integrity* of a request (such as a CSRF check) but fails to verify the *identity and permissions* of the user performing the action.\n\nIn the context of the provided WordPress plugin code, the vulnerability stems from the reliance on Nonce verification without a corresponding Capability check.\n\n#### 1. Nonce vs. Capability\n*   **Nonces (`_wpnonce`)**: These are primarily used for CSRF (Cross-Site Request Forgery) protection. They ensure that the request was intentionally sent by the user from a specific form or link. However, a nonce does not verify *who* the user is or if they should be allowed to perform the action.\n*   **Capabilities (`current_user_can`)**: This is the authorization mechanism in WordPress. It checks if the currently logged-in user has the necessary permissions (e.g., `manage_options` for administrators, `edit_posts` for authors) to execute a specific function.\n\n#### 2. Vulnerability Pattern\nIn the provided files (such as `TokenController.php` or `ConfigurationController.php`), the code follows this pattern:\n\n```php\npublic function save() {\n    \u002F\u002F 1. Integrity check (CSRF protection)\n    WpNonceValidatorHelper::check( $_POST[ self::WP_NONCE ], 'tokens' );\n\n    \u002F\u002F 2. Data processing and persistence\n    $result = ( new TokenService() )->save(...);\n\n    \u002F\u002F 3. Response\n    return wp_send_json( ... );\n}\n```\n\nIf the AJAX action or REST route that triggers this `save()` function is registered in a way that allows Subscriber-level users to access it, the `WpNonceValidatorHelper::check` will pass if the Subscriber provides a valid nonce. Without a `current_user_can()` check, the Subscriber can successfully modify sensitive settings like API tokens or plugin configurations.\n\n### Remediation Best Practices\n\nTo secure WordPress controllers against unauthorized access, developers should follow these steps:\n\n1.  **Implement Capability Checks**: Every function that modifies data or exposes sensitive information must check for a specific capability.\n    ```php\n    if ( ! current_user_can( 'manage_options' ) ) {\n        wp_send_json_error( 'Unauthorized', 403 );\n    }\n    ```\n2.  **Verify Nonces**: Continue using nonces to prevent CSRF, but ensure they are checked *in addition* to capabilities.\n3.  **Secure Hook Registration**: When registering AJAX handlers (`wp_ajax_`) or REST API routes, ensure the `permission_callback` (for REST) or the logic within the handler (for AJAX) explicitly restricts access to authorized roles.\n\nFor further learning on securing WordPress plugins, you may consult the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top 10 guide on Broken Access Control](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F2017\u002FA5_2017-Broken_Access_Control).","gemini-3-flash-preview","2026-06-25 23:36:18","2026-06-25 23:37:12",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.16.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmelhor-envio-cotacao\u002Ftags\u002F2.16.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmelhor-envio-cotacao.2.16.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmelhor-envio-cotacao\u002Ftags\u002F2.16.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmelhor-envio-cotacao.2.16.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmelhor-envio-cotacao\u002Ftags"]