CVE-2021-25002

{"id": "CVE-2021-25002", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-05-02T16:15:07.973", "references": [{"url": "https://wpscan.com/vulnerability/b14f476e-3124-4cbf-91b4-ae53c4dabd7c", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/b14f476e-3124-4cbf-91b4-ae53c4dabd7c", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL"}, {"lang": "es", "value": "El plugin Tipsacarrier WordPress antes de la versi\u00f3n 1.5.0.5 no tiene ninguna comprobaci\u00f3n de autorizaci\u00f3n en algunas funciones, lo que podr\u00eda permitir a los usuarios no autentificados acceder a los datos de los pedidos que podr\u00edan ser utilizados para recuperar la direcci\u00f3n completa del cliente, el nombre y el tel\u00e9fono a trav\u00e9s de la URL de seguimiento"}], "lastModified": "2024-11-21T05:54:09.977", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tipsacarrier_project:tipsacarrier:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "38534773-F506-4CF8-9777-EF55B78E26BB", "versionEndExcluding": "1.5.0.5"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}