Plugin Vulnerability Could Allow Authenticated Users to Perform Malicious Actions
CVE-2022-2439

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Easy Digital Downloads – Ecommerce Payments And Subscriptions Made Easy
Vendor: CVE Published:; 24 September 2024

What is CVE-2022-2439?

The Easy Digital Downloads plugin for WordPress is exposed to a deserialization vulnerability through the 'upload[file]' parameter. This vulnerability affects versions up to and including 3.3.3, allowing authenticated administrative users to exploit the system by using a PHAR wrapper to deserialize and invoke arbitrary PHP Objects. Such actions can lead to various malicious activities, contingent upon the presence of a suitable PHP Object Pollution (POP) chain. This significant weakness underscores the need for immediate updates and security best practices to mitigate potential misuse.

Affected Version(s)

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy * <= 3.3.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3154854/easy...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 24, 2024
Vulnerability Reserved
Jul 15, 2022

Credit

Rasoul Jahanshahi

Wordpress

What is CVE-2022-2439?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit