Executive Summary

The Klamra Paycal for Aspaclaria plugin for WordPress has an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 1.1.4. This vulnerability arises because the 'invoice_id' parameter lacks proper validation, allowing authenticated users with subscriber-level access or higher to manipulate this parameter.

By exploiting this flaw, attackers can enumerate sequential post IDs to download arbitrary customer invoices that do not belong to them.

This exposes sensitive billing personally identifiable information (PII) such as full names, email addresses, phone numbers, order totals, line items, and customer notes of other customers.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive customer billing information.

• Attackers with subscriber-level access can access invoices of other customers.
• Exposed data includes full names, email addresses, phone numbers, order totals, line items, and customer notes.

Such exposure can result in privacy violations, loss of customer trust, and potential legal consequences.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated attackers to access sensitive billing personally identifiable information (PII) of other customers, including full name, email address, phone number, order total, line items, and customer notes.

Exposure of such sensitive PII can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, this vulnerability potentially compromises compliance with these standards by enabling unauthorized disclosure of protected customer data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the 'invoice_id' parameter in the Klamra Paycal for Aspaclaria WordPress plugin, which allows authenticated users with subscriber-level access or higher to download arbitrary customer invoices by enumerating sequential post IDs.

To detect this vulnerability on your system, you can attempt to access invoice data by manipulating the 'invoice_id' parameter in requests to the plugin's invoice download functionality while authenticated as a subscriber or similar role.

Suggested commands or steps include:

• Authenticate as a subscriber-level user on the WordPress site.
• Use a tool like curl or a browser to send HTTP requests to the invoice download endpoint, changing the 'invoice_id' parameter to sequential values.
• Example curl command: curl -b cookies.txt "https://example.com/path/to/invoice/download?invoice_id=123"
• Observe if invoice data for other customers is accessible by incrementing or decrementing the 'invoice_id' value.

If you can access invoices that do not belong to your user, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Restrict access to the invoice download functionality to only trusted user roles until a patch is applied.
• Disable or remove the Klamra Paycal for Aspaclaria plugin if it is not essential.
• Monitor and audit access logs for suspicious activity involving the 'invoice_id' parameter.
• Apply any available updates or patches from the plugin developer as soon as they are released.

Since the vulnerability is due to missing validation on a user-controlled key, ensuring proper access controls and validation on the server side is critical.

Useful 0 Not Useful 0