Melhor Envio WordPress Plugin Sensitive Information Exposure Vulnerability

A vulnerability allowing sensitive information exposure has been identified in the Melhor Envio plugin for WordPress, affecting all versions through 2.15.11. The issue arises in the 'run' function, which contains a hardcoded hash. This vulnerability enables unauthenticated attackers to access sensitive data such as environment details, plugin tokens, shipping configurations, and limited vendor information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, including environment data, plugin tokens, shipping settings, and some vendor details.

Reproduction

The vulnerability can be reproduced by sending a request to the 'run' function of the Melhor Envio plugin with a hash parameter. The request will be processed if the hash matches the hardcoded value, bypassing authorization checks. This allows for the extraction of sensitive information.

Remediation

Users are advised to update the Melhor Envio WordPress plugin to version 2.15.12 or later.