CVE-2026-54804: WordPress Melhor Envio plugin <= 2.16.3 - Broken Authentication vulnerability
Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.
Metrics
- CVSS v3.1
- 7.6
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An authentication bypass vulnerability affects the Melhor Envio WordPress plugin at version 2.16.3 and earlier. The flaw is reachable over the network and requires only a low-privilege account (such as a standard subscriber), with no victim interaction needed. Successful exploitation lets an attacker read data, tamper with data, and crash or severely degrade the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle the Melhor Envio plugin.
AvailableHarborGuard scores this finding at CVSS 7.6 (High) and applies per-environment compliance policy weighting to prioritize it appropriately. Findings are routed to the relevant inbox inside each customer organization based on configured ownership rules.
AvailableBecause no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream patch is released. For customers who opt into auto-remediation, that rebuild triggers a regression test run and a PR opened against affected workloads without any manual step.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; no local or physical access is needed.
- AuthenticationRequired
A low-privilege account such as a standard subscriber role is sufficient; no administrator credentials are needed.
- Victim interactionNot required
No user interaction or social engineering is required; the attacker acts entirely on their own.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configurations.
Blast Radius
- Reads application or user data accessible to the plugin, such as shipping configuration details and potentially stored credentials.
- Modifies plugin data or WordPress records, which may alter shipping workflows or inject unauthorized changes.
- Crashes or severely degrades the affected WordPress service, making the site unavailable to legitimate users.
How HarborGuard Handles This
Available on HarborGuard: this CVE is monitored on every ingest cycle because no upstream fix has been published. Where container images bundle the Melhor Envio plugin at an affected version, HarborGuard flags them in the affected customer's registry and pipeline scan results. Compensating controls that security teams may consider in the interim include network-policy isolation to restrict which internal services the WordPress container can reach, egress filtering to limit plugin callback requests, and disabling the Melhor Envio plugin via a feature flag or environment variable if the shipping functionality is non-critical. As soon as an upstream fix version is published, a patched-image rebuild will become available on HarborGuard, and customers with auto-remediation enabled will receive a regression-tested rebuild with a PR opened against affected workloads automatically.
- melhorenvio / Melhor Envio≤ 2.16.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H