Description
The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/b14f476e-3124-4cbf-91b4-ae53c4dabd7c
Scores
CVSS v3
7.5
EPSS
0.0147
EPSS Percentile
70.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-862
Status
published
Products (1)
tipsacarrier_project/tipsacarrier
< 1.5.0.5
Published
May 02, 2022
Tracked Since
Feb 18, 2026