Stored Cross-Site Scripting Vulnerability in Easy Digital Downloads Plugin by WordPress
CVE-2024-0659

4.8MEDIUM

Key Information:

Vendor: Wordpress
Status: Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)
Vendor: CVE Published:; 5 February 2024

Summary

The Easy Digital Downloads plugin for WordPress, specifically versions up to and including 3.2.6, is susceptible to a Stored Cross-Site Scripting vulnerability. This flaw arises from inadequate input sanitization and insufficient output escaping in the variable pricing option title. Authenticated attackers with shop manager-level access could exploit this vulnerability to inject arbitrary web scripts into pages. When users access these compromised pages, the injected scripts would execute in their browsers, potentially leading to unauthorized access and data leakage.

Affected Version(s)

Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) * <= 3.2.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?old_path=/ea...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 5, 2024
Vulnerability Reserved
Jan 17, 2024

Credit

emad