CVE-2026-54804
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-54804
EUVD
EUVD-2026-37640
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
melhor_envio melhor_envio to 2.16.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability involves Broken Authentication allowing low-privilege users to gain unauthorized admin access, which can lead to unauthorized access to sensitive data.

Such unauthorized access can impact compliance with standards like GDPR and HIPAA, which require strict controls on access to personal and protected health information.

Failure to prevent unauthorized access due to this vulnerability could result in violations of these regulations, potentially leading to legal and financial consequences.

Executive Summary

CVE-2026-54804 is a Broken Authentication vulnerability in the WordPress Melhor Envio Plugin versions 2.16.3 and earlier.

This flaw allows malicious actors with low-level privileges, such as users with the Subscriber role, to perform actions that are normally restricted to higher-privileged users, potentially gaining unauthorized admin access.

The vulnerability is actively exploited in mass campaigns targeting thousands of websites.

It falls under the OWASP Top 10 category A7, which relates to Identification and Authentication Failures.

Impact Analysis

This vulnerability can allow attackers with low-level access to escalate their privileges and gain unauthorized administrative control over your WordPress site.

Such unauthorized admin access can lead to a wide range of malicious activities including data manipulation, site defacement, installation of malware, or disruption of services.

Because the vulnerability is actively exploited in mass campaigns, sites running vulnerable versions are at significant risk.

Mitigation Strategies

To mitigate the CVE-2026-54804 vulnerability in the Melhor Envio WordPress plugin, you should immediately update the plugin to version 2.16.4 or later, as this version contains the patch for the broken authentication flaw.

Until you can apply the update, you can use the automatic mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

Since the vulnerability allows low-privileged users to escalate privileges, review and restrict user roles and permissions where possible to reduce risk exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54804. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart