Easy Digital Downloads <= 2.11.2 Authenticated Reflected Cross-Site Scripting
CVE-2021-39354

4.8MEDIUM

Key Information:

Vendor
Wordpress
Status
Easy Digital Downloads
Vendor
CVE Published:
21 October 2021

Summary

The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2.

Affected Version(s)

Easy Digital Downloads 2.11.2

References

https://www.wordfence.com/vulnerability-advisories/#CVE-2...
x_refsource_MISC
https://plugins.trac.wordpress.org/changeset/2616149/easy...
x_refsource_MISC
https://github.com/BigTiger2020/word-press/blob/main/Easy...
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thinkland Security Team
.