Easy PayPal Events and Tickets WordPress Plugin Information Disclosure Vulnerability

A vulnerability allowing information disclosure has been identified in the Easy PayPal Events & Tickets WordPress plugin, specifically in versions through 1.3. This vulnerability resides in the QR code scanning endpoint, where unauthenticated attackers can enumerate and access all customer order records. The exploitation involves iterating over sequential WordPress post IDs via the scan_qr.php endpoint, enabling attackers to collect a comprehensive set of orders from the database without authentication or prior knowledge of specific order identifiers.

Impact

Exploitation of this vulnerability allows for the enumeration and extraction of sensitive customer order information, including PayPal transaction IDs, email addresses, purchase details, and order status.

Reproduction

To reproduce this vulnerability, send a GET request to the scan_qr.php endpoint with the action parameter set to 'add_wpeevent_button_qr' and the order parameter set to a sequential WordPress post ID. This can be done by starting with an order ID of 1 and incrementing it with each request to retrieve the corresponding order details.

Remediation

Users are advised to implement authorization checks, use non-predictable identifiers, and restrict access to authenticated users.