CVE-2021-25002

Tipsacarrier < 1.5.0.5 - Unauthenticated Orders Disclosure

EPSS 1.5%CWE-862

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

02 May 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL

Affected products

Unknown · Tipsacarrier

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/b14f476e-3124-4cbf-91b4-ae53c4dabd7c