Vulnerabilites related to Unknown - Easy Digital Downloads – Simple eCommerce for Selling Digital Files
CVE-2022-0707 (GCVE-0-2022-0707)
Vulnerability from cvelistv5
Published
2022-04-18 17:10
Modified
2024-08-02 23:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack
References
| ▼ | URL | Tags |
|---|---|---|
| https://plugins.trac.wordpress.org/changeset/2697388 | x_refsource_CONFIRM | |
| https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Version: 2.11.6 < 2.11.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.425Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.6",
"status": "affected",
"version": "2.11.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "muhamad hidayat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T17:10:31",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 2.11.6 - Arbitrary Payment Note Insertion via CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0707",
"STATE": "PUBLIC",
"TITLE": "Easy Digital Downloads \u003c 2.11.6 - Arbitrary Payment Note Insertion via CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.11.6",
"version_value": "2.11.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "muhamad hidayat"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://plugins.trac.wordpress.org/changeset/2697388",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"name": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0707",
"datePublished": "2022-04-18T17:10:31",
"dateReserved": "2022-02-21T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0706 (GCVE-0-2022-0706)
Vulnerability from cvelistv5
Published
2022-04-18 17:10
Modified
2024-08-02 23:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907 | x_refsource_MISC | |
| https://plugins.trac.wordpress.org/changeset/2697388 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Version: 2.11.6 < 2.11.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.6",
"status": "affected",
"version": "2.11.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "muhamad hidayat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T17:10:29",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 2.11.6 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0706",
"STATE": "PUBLIC",
"TITLE": "Easy Digital Downloads \u003c 2.11.6 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.11.6",
"version_value": "2.11.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "muhamad hidayat"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2697388",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0706",
"datePublished": "2022-04-18T17:10:29",
"dateReserved": "2022-02-21T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2387 (GCVE-0-2022-2387)
Vulnerability from cvelistv5
Published
2022-11-07 00:00
Modified
2025-05-05 20:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Version: 3.0 < 3.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:06.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2387",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T20:26:18.816586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T20:26:52.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0",
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-07T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 3.0 - Arbitrary Post Deletion via CSRF",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2387",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-07-12T00:00:00.000Z",
"dateUpdated": "2025-05-05T20:26:52.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}