The Correos Oficial WordPress plugin through 1.2.0.2 does not have an authorization check user input validation when generating a file path, allowing unauthenticated attackers to download arbitrary files from the server.

A vulnerability in the descarga_etiqueta.php component of Correos Prestashop 1.7.x allows attackers to execute a directory traversal.

The CorreosExpress WordPress plugin through 2.6.0 generates log files which are publicly accessible, and contain sensitive information such as sender/receiver names, phone numbers, physical and email addresses

The Correos Express addon for PrestaShop 1.6 through 1.7 allows remote attackers to obtain sensitive information, such as a service's owner password that can be used to modify orders via SOAP. Attackers can also retrieve information about orders or buyers.