CVE-2021-25002: 
WordPress vulnerability analysis and mitigation

The Tipsacarrier WordPress plugin before version 1.5.0.5 contains a security vulnerability identified as CVE-2021-25002. The vulnerability was discovered and reported on November 26th, 2021, and publicly disclosed on April 5th, 2022. The issue affects the plugin's authorization mechanism, where certain functions lack proper authentication checks (WPScan).

The vulnerability stems from missing authorization checks in specific plugin functions. It has been assigned a CVSS score of 5.3 (medium severity) and is classified under CWE-862 (Missing Authorization). The vulnerability aligns with the OWASP Top 10 category A5: Broken Access Control. The issue specifically affects the plugin's data consultation functionality through the endpoint '/wp-content/plugins/tipsacarrier/js/consulta_datos.php' (WPScan).

When exploited, the vulnerability allows unauthenticated users to access Orders data, including sensitive customer information such as full addresses, names, and phone numbers through tracking URLs. Additionally, attackers can access order IDs, creation dates, shipping agency order codes, shipping statuses, and printing tag URLs without proper authentication (WPScan).

The vulnerability has been fixed in version 1.5.0.5 of the Tipsacarrier plugin. Users are advised to update to this version or later to protect against unauthorized access to order data (WPScan).