Stored Cross-Site Scripting Vulnerability in Easy Digital Downloads by WordPress
CVE-2024-13517
4.4MEDIUM
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 18 January 2025
Summary
The Easy Digital Downloads plugin for WordPress is exploitable through a stored cross-site scripting vulnerability affecting all versions up to and including 3.3.2. This issue arises from inadequate input sanitization and output escaping, allowing authenticated attackers with administrator rights to inject malicious scripts into page titles. These scripts execute when users interact with compromised pages, posing significant risks, especially in multi-site installations and environments with unfiltered_html disabled.
Affected Version(s)
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy * <= 3.3.2
References
CVSS V3.1
Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Sajjad Ahmad