Vulnerabilites related to awesomemotive - easy_digital_downloads
CVE-2015-9527 (GCVE-0-2015-9527)
Vulnerability from cvelistv5
Published
2019-10-23 15:59
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Simple Shipping extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Simple Shipping extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T15:59:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9527",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Simple Shipping extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9527",
"datePublished": "2019-10-23T15:59:22",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51684 (GCVE-0-2023-51684)
Vulnerability from cvelistv5
Published
2024-02-01 10:34
Modified
2024-08-02 22:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Easy Digital Downloads Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) allows Stored XSS.This issue affects Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy): from n/a through 3.2.5.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Easy Digital Downloads | Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51684",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-01T13:52:01.116084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T19:36:20.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:34.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "easy-digital-downloads",
"product": "Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026 Payments Made Easy)",
"vendor": "Easy Digital Downloads",
"versions": [
{
"changes": [
{
"at": "3.2.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.2.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "LVT-tholv2k (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Easy Digital Downloads Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026amp; Payments Made Easy) allows Stored XSS.\u003cp\u003eThis issue affects Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026amp; Payments Made Easy): from n/a through 3.2.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Easy Digital Downloads Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026 Payments Made Easy) allows Stored XSS.This issue affects Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026 Payments Made Easy): from n/a through 3.2.5.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-01T10:34:37.382Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;3.2.6 or a higher version."
}
],
"value": "Update to\u00a03.2.6 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Easy Digital Downloads Plugin \u003c= 3.2.5 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-51684",
"datePublished": "2024-02-01T10:34:37.382Z",
"dateReserved": "2023-12-21T14:51:43.924Z",
"dateUpdated": "2024-08-02T22:40:34.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2252 (GCVE-0-2025-2252)
Vulnerability from cvelistv5
Published
2025-03-25 07:04
Modified
2025-03-31 17:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Version: * ≤ 3.3.6.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T17:43:43.397388Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T17:44:11.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.3.6.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fran\u00e7oa Taffarel"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T07:04:54.606Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e0e3b81-55fe-46b2-bae1-d7321d74c485?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.3.6.1/includes/ajax-functions.php#L466"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.3.6.1/includes/ajax-functions.php#L459"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3257409/easy-digital-downloads/trunk/includes/ajax-functions.php?contextall=1"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3257409/easy-digital-downloads/trunk/includes/ajax-functions.php?old=3226442\u0026old_path=easy-digital-downloads%2Ftrunk%2Fincludes%2Fajax-functions.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-24T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy \u003c= 3.3.6.1 - Unauthenticated Private Post Title Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2252",
"datePublished": "2025-03-25T07:04:54.606Z",
"dateReserved": "2025-03-12T14:30:10.813Z",
"dateUpdated": "2025-03-31T17:44:11.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9534 (GCVE-0-2015-9534)
Vulnerability from cvelistv5
Published
2019-10-23 15:54
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Quota theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Quota theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T15:54:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9534",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Quota theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9534",
"datePublished": "2019-10-23T15:54:43",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9523 (GCVE-0-2015-9523)
Vulnerability from cvelistv5
Published
2019-10-23 16:02
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Recommended Products extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Recommended Products extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:02:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9523",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Recommended Products extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9523",
"datePublished": "2019-10-23T16:02:17",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9531 (GCVE-0-2015-9531)
Vulnerability from cvelistv5
Published
2019-10-23 15:56
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Wish Lists extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.303Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Wish Lists extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T15:56:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9531",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Wish Lists extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9531",
"datePublished": "2019-10-23T15:56:45",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9512 (GCVE-0-2015-9512)
Vulnerability from cvelistv5
Published
2019-10-23 16:11
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) CSV Manager extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) CSV Manager extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:11:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9512",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) CSV Manager extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9512",
"datePublished": "2019-10-23T16:11:09",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9520 (GCVE-0-2015-9520)
Vulnerability from cvelistv5
Published
2019-10-23 16:04
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Per Product Emails extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Per Product Emails extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:04:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9520",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Per Product Emails extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9520",
"datePublished": "2019-10-23T16:04:33",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9528 (GCVE-0-2015-9528)
Vulnerability from cvelistv5
Published
2019-10-23 15:58
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Software Licensing extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Software Licensing extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T15:58:40",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9528",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Software Licensing extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9528",
"datePublished": "2019-10-23T15:58:40",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9324 (GCVE-0-2015-9324)
Vulnerability from cvelistv5
Published
2019-08-16 20:10
Modified
2024-08-06 08:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wordpress.org/plugins/easy-digital-downloads/#developers | x_refsource_MISC | |
| https://wpvulndb.com/vulnerabilities/9770 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:43:42.542Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9770"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-26T04:06:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9770"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9324",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/easy-digital-downloads/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
},
{
"name": "https://wpvulndb.com/vulnerabilities/9770",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9770"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9324",
"datePublished": "2019-08-16T20:10:59",
"dateReserved": "2019-08-16T00:00:00",
"dateUpdated": "2024-08-06T08:43:42.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30869 (GCVE-0-2023-30869)
Vulnerability from cvelistv5
Published
2023-05-02 09:46
Modified
2025-01-08 22:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation. This issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Easy Digital Downloads | Easy Digital Downloads |
Version: 3.1 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.507Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-1-1-4-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://patchstack.com/articles/critical-easy-digital-downloads-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T21:47:09.769436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T22:08:16.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "easy-digital-downloads",
"product": "Easy Digital Downloads",
"vendor": "Easy Digital Downloads",
"versions": [
{
"changes": [
{
"at": "3.1.1.4.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.1.4.1",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tien Nguyen Anh (Patchstack Alliance)"
}
],
"datePublic": "2023-05-02T09:29:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation.\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eThis issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1.\u003c/span\u003e"
}
],
"value": "Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation.\u00a0This issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-03T05:05:58.271Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-1-1-4-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve"
},
{
"tags": [
"related"
],
"url": "https://patchstack.com/articles/critical-easy-digital-downloads-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;3.1.1.4.2 or a higher version."
}
],
"value": "Update to\u00a03.1.1.4.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Easy Digital Downloads Plugin 3.1-3.1.1.4.1 is vulnerable to Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-30869",
"datePublished": "2023-05-02T09:46:36.439Z",
"dateReserved": "2023-04-19T12:33:22.775Z",
"dateUpdated": "2025-01-08T22:08:16.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2302 (GCVE-0-2024-2302)
Vulnerability from cvelistv5
Published
2024-04-09 18:58
Modified
2024-08-01 19:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.9. This makes it possible for unauthenticated attackers to download the debug log via Directory Listing. This file may include PII.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smub | Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) |
Version: * ≤ 3.2.9 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:easydigitaldownloads:easy_digital_downloads:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easy_digital_downloads",
"vendor": "easydigitaldownloads",
"versions": [
{
"lessThanOrEqual": "3.2.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2302",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T18:02:30.982983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T18:04:51.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:52.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0837ba20-4b47-4cc8-9eb3-322289513d79?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/class-edd-logging.php#L621"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3060808%40easy-digital-downloads%2Ftrunk\u0026old=3042139%40easy-digital-downloads%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 Sell Digital Files \u0026 Subscriptions (eCommerce Store + Payments Made Easy)",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.2.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Colin Xu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 Sell Digital Files \u0026 Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.9. This makes it possible for unauthenticated attackers to download the debug log via Directory Listing. This file may include PII."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-532 Information Exposure Through Log Files",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T18:58:30.328Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0837ba20-4b47-4cc8-9eb3-322289513d79?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/class-edd-logging.php#L621"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3060808%40easy-digital-downloads%2Ftrunk\u0026old=3042139%40easy-digital-downloads%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-03T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2302",
"datePublished": "2024-04-09T18:58:30.328Z",
"dateReserved": "2024-03-07T20:07:34.933Z",
"dateUpdated": "2024-08-01T19:11:52.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40005 (GCVE-0-2023-40005)
Vulnerability from cvelistv5
Published
2024-12-13 14:24
Modified
2024-12-13 19:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in Easy Digital Downloads Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.1.5.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Easy Digital Downloads | Easy Digital Downloads |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40005",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T19:05:26.095458Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T19:05:42.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "easy-digital-downloads",
"product": "Easy Digital Downloads",
"vendor": "Easy Digital Downloads",
"versions": [
{
"changes": [
{
"at": "3.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Nguyen Anh Tien (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in Easy Digital Downloads Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Easy Digital Downloads: from n/a through 3.1.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Easy Digital Downloads Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.1.5."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T14:24:04.354Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/easy-digital-downloads/vulnerability/wordpress-easy-digital-downloads-plugin-3-1-5-broken-access-control?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.2.0)."
}
],
"value": "Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 3.2.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Easy Digital Downloads plugin \u003c= 3.1.5 - Broken Access Control",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-40005",
"datePublished": "2024-12-13T14:24:04.354Z",
"dateReserved": "2023-08-08T12:15:26.376Z",
"dateUpdated": "2024-12-13T19:05:42.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9536 (GCVE-0-2015-9536)
Vulnerability from cvelistv5
Published
2019-10-23 15:49
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Twenty-Twelve theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.313Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Twenty-Twelve theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T15:49:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9536",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Twenty-Twelve theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9536",
"datePublished": "2019-10-23T15:49:27",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9506 (GCVE-0-2015-9506)
Vulnerability from cvelistv5
Published
2019-10-23 16:13
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:13:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9506",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9506",
"datePublished": "2019-10-23T16:13:25",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9508 (GCVE-0-2015-9508)
Vulnerability from cvelistv5
Published
2019-10-23 16:12
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Commissions extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Commissions extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:12:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9508",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Commissions extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9508",
"datePublished": "2019-10-23T16:12:35",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15116 (GCVE-0-2019-15116)
Vulnerability from cvelistv5
Published
2019-08-16 20:12
Modified
2024-08-05 00:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpvulndb.com/vulnerabilities/9334 | x_refsource_MISC | |
| https://wordpress.org/plugins/easy-digital-downloads/#developers | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.230Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9334"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-23T01:06:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9334"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15116",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9334",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9334"
},
{
"name": "https://wordpress.org/plugins/easy-digital-downloads/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15116",
"datePublished": "2019-08-16T20:12:04",
"dateReserved": "2019-08-16T00:00:00",
"dateUpdated": "2024-08-05T00:34:53.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9507 (GCVE-0-2015-9507)
Vulnerability from cvelistv5
Published
2019-10-23 16:13
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Attach Accounts to Orders extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Attach Accounts to Orders extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:13:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9507",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Attach Accounts to Orders extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9507",
"datePublished": "2019-10-23T16:13:05",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39354 (GCVE-0-2021-39354)
Vulnerability from cvelistv5
Published
2021-10-21 19:38
Modified
2025-03-31 17:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Easy Digital Downloads | Easy Digital Downloads |
Version: 2.11.2 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:06:42.139Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39354"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2616149/easy-digital-downloads/trunk/includes/admin/payments/class-payments-table.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/BigTiger2020/word-press/blob/main/Easy%20Digital%20Downloads.md"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-39354",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T17:57:34.532627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T17:57:42.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads",
"vendor": "Easy Digital Downloads",
"versions": [
{
"lessThanOrEqual": "2.11.2",
"status": "affected",
"version": "2.11.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thinkland Security Team"
}
],
"datePublic": "2021-10-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-21T19:38:58.000Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39354"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/changeset/2616149/easy-digital-downloads/trunk/includes/admin/payments/class-payments-table.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BigTiger2020/word-press/blob/main/Easy%20Digital%20Downloads.md"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.11.2.1 or newer."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Easy Digital Downloads \u003c= 2.11.2 Authenticated Reflected Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Wordfence",
"ASSIGNER": "security@wordfence.com",
"DATE_PUBLIC": "2021-10-21T16:05:00.000Z",
"ID": "CVE-2021-39354",
"STATE": "PUBLIC",
"TITLE": "Easy Digital Downloads \u003c= 2.11.2 Authenticated Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easy Digital Downloads",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.11.2",
"version_value": "2.11.2"
}
]
}
}
]
},
"vendor_name": "Easy Digital Downloads"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thinkland Security Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39354",
"refsource": "MISC",
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39354"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2616149/easy-digital-downloads/trunk/includes/admin/payments/class-payments-table.php",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/changeset/2616149/easy-digital-downloads/trunk/includes/admin/payments/class-payments-table.php"
},
{
"name": "https://github.com/BigTiger2020/word-press/blob/main/Easy%20Digital%20Downloads.md",
"refsource": "MISC",
"url": "https://github.com/BigTiger2020/word-press/blob/main/Easy%20Digital%20Downloads.md"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.11.2.1 or newer."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-39354",
"datePublished": "2021-10-21T19:38:58.093Z",
"dateReserved": "2021-08-20T00:00:00.000Z",
"dateUpdated": "2025-03-31T17:57:42.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9517 (GCVE-0-2015-9517)
Vulnerability from cvelistv5
Published
2019-10-23 16:08
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Manual Purchases extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.300Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Manual Purchases extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:08:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9517",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Manual Purchases extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9517",
"datePublished": "2019-10-23T16:08:34",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33900 (GCVE-0-2022-33900)
Vulnerability from cvelistv5
Published
2022-08-22 14:48
Modified
2025-02-20 20:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- PHP Object Injection
Summary
PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Easy Digital Downloads | Easy Digital Downloads |
Version: <= 3.0.1 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:09:22.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-0-1-php-object-injection-vulnerability"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-33900",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:27:14.030496Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:13:03.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads",
"vendor": "Easy Digital Downloads",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "\u003c= 3.0.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Robert Rowley (Patchstack)"
}
],
"datePublic": "2022-08-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "PHP Object Injection vulnerability in Easy Digital Downloads plugin \u003c= 3.0.1 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "PHP Object Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-22T14:48:37.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-0-1-php-object-injection-vulnerability"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 3.0.2 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Easy Digital Downloads plugin \u003c= 3.0.1 - PHP Object Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-08-10T11:40:00.000Z",
"ID": "CVE-2022-33900",
"STATE": "PUBLIC",
"TITLE": "WordPress Easy Digital Downloads plugin \u003c= 3.0.1 - PHP Object Injection vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easy Digital Downloads",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 3.0.1",
"version_value": "3.0.1"
}
]
}
}
]
},
"vendor_name": "Easy Digital Downloads"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Robert Rowley (Patchstack)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PHP Object Injection vulnerability in Easy Digital Downloads plugin \u003c= 3.0.1 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "PHP Object Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-0-1-php-object-injection-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-0-1-php-object-injection-vulnerability"
},
{
"name": "https://wordpress.org/plugins/easy-digital-downloads/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 3.0.2 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-33900",
"datePublished": "2022-08-22T14:48:37.139Z",
"dateReserved": "2022-06-30T00:00:00.000Z",
"dateUpdated": "2025-02-20T20:13:03.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6692 (GCVE-0-2024-6692)
Vulnerability from cvelistv5
Published
2024-08-10 02:01
Modified
2024-08-12 14:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Version: * ≤ 3.3.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6692",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T14:16:37.336704Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T14:50:45.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.3.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 Sell Digital Files \u0026 Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-10T02:01:23.075Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e54d5ab2-40ba-4ad8-9a77-44aba37f0283?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3131805/easy-digital-downloads/tags/3.3.3/includes/checkout/template.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-09T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Digital Downloads \u2013 Sell Digital Files \u0026 Subscriptions (eCommerce Store + Payments Made Easy) \u003c= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Agreement Text"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6692",
"datePublished": "2024-08-10T02:01:23.075Z",
"dateReserved": "2024-07-11T14:59:57.041Z",
"dateUpdated": "2024-08-12T14:50:45.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9513 (GCVE-0-2015-9513)
Vulnerability from cvelistv5
Published
2019-10-23 16:10
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Favorites extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Favorites extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:10:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9513",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Favorites extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9513",
"datePublished": "2019-10-23T16:10:43",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9532 (GCVE-0-2015-9532)
Vulnerability from cvelistv5
Published
2019-10-23 15:56
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Digital Store theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Digital Store theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T15:56:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9532",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Digital Store theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9532",
"datePublished": "2019-10-23T15:56:00",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2439 (GCVE-0-2022-2439)
Vulnerability from cvelistv5
Published
2024-09-24 03:06
Modified
2024-09-24 15:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'upload[file]' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using a PHAR wrapper, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Version: * ≤ 3.3.3 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:easydigitaldownloads:easy_digital_downloads:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "easy_digital_downloads",
"vendor": "easydigitaldownloads",
"versions": [
{
"lessThanOrEqual": "3.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T15:28:58.810659Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T15:30:14.881Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.3.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rasoul Jahanshahi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the \u0027upload[file]\u0027 parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using a PHAR wrapper, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T03:06:38.891Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/644c8702-08ad-4048-ae91-041f1771f1dc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3154854/easy-digital-downloads/tags/3.3.4/includes/admin/import/import-functions.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3154854/easy-digital-downloads/tags/3.3.4/src/Utils/FileSystem.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-23T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files \u003c= 3.3.3 - Authenticated (Admin+) PHAR Deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-2439",
"datePublished": "2024-09-24T03:06:38.891Z",
"dateReserved": "2022-07-15T14:24:11.668Z",
"dateUpdated": "2024-09-24T15:30:14.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6691 (GCVE-0-2024-6691)
Vulnerability from cvelistv5
Published
2024-08-10 02:01
Modified
2024-08-12 14:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Version: * ≤ 3.3.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T14:32:42.679614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T14:32:55.588Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.3.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 Sell Digital Files \u0026 Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-10T02:01:19.896Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0459a6bd-334d-43b7-b289-271108564a53?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3131805/easy-digital-downloads/tags/3.3.3/src/Admin/Settings/Sanitize.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-09T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Digital Downloads \u2013 Sell Digital Files \u0026 Subscriptions (eCommerce Store + Payments Made Easy) \u003c= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Currency Settings"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6691",
"datePublished": "2024-08-10T02:01:19.896Z",
"dateReserved": "2024-07-11T14:55:03.243Z",
"dateUpdated": "2024-08-12T14:32:55.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9509 (GCVE-0-2015-9509)
Vulnerability from cvelistv5
Published
2019-10-23 16:12
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Content Restriction extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Content Restriction extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:12:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9509",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Content Restriction extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9509",
"datePublished": "2019-10-23T16:12:19",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3600 (GCVE-0-2022-3600)
Vulnerability from cvelistv5
Published
2022-11-21 00:00
Modified
2025-04-30 13:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/16e2d970-19d0-42d1-8fb1-e7cb14ace1d0 | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads |
Version: 0 < 3.1.0.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:02.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/16e2d970-19d0-42d1-8fb1-e7cb14ace1d0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3600",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T13:23:14.088277Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T13:23:33.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.1.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T13:34:57.906Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/16e2d970-19d0-42d1-8fb1-e7cb14ace1d0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 3.1.0.2 - Unauthenticated CSV Injection",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3600",
"datePublished": "2022-11-21T00:00:00.000Z",
"dateReserved": "2022-10-19T00:00:00.000Z",
"dateUpdated": "2025-04-30T13:23:33.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5057 (GCVE-0-2024-5057)
Vulnerability from cvelistv5
Published
2024-08-29 14:04
Modified
2024-08-29 14:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Easy Digital Downloads allows SQL Injection.This issue affects Easy Digital Downloads: from n/a through 3.2.12.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Easy Digital Downloads | Easy Digital Downloads |
Version: n/a < |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:easydigitaldownloads:easy_digital_downloads:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easy_digital_downloads",
"vendor": "easydigitaldownloads",
"versions": [
{
"lessThanOrEqual": "3.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T14:27:03.676302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T14:27:46.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "easy-digital-downloads",
"product": "Easy Digital Downloads",
"vendor": "Easy Digital Downloads",
"versions": [
{
"changes": [
{
"at": "3.3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.2.12",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "justakazh (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Easy Digital Downloads allows SQL Injection.\u003cp\u003eThis issue affects Easy Digital Downloads: from n/a through 3.2.12.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Easy Digital Downloads allows SQL Injection.This issue affects Easy Digital Downloads: from n/a through 3.2.12."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T14:04:35.019Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-12-sql-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.3.1 or a higher version."
}
],
"value": "Update to 3.3.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Easy Digital Downloads plugin \u003c= 3.2.12 - SQL Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-5057",
"datePublished": "2024-08-29T14:04:35.019Z",
"dateReserved": "2024-05-17T10:11:19.916Z",
"dateUpdated": "2024-08-29T14:27:46.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9530 (GCVE-0-2015-9530)
Vulnerability from cvelistv5
Published
2019-10-23 15:57
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Upload File extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Upload File extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T15:57:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9530",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Upload File extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9530",
"datePublished": "2019-10-23T15:57:27",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9515 (GCVE-0-2015-9515)
Vulnerability from cvelistv5
Published
2019-10-23 16:10
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) htaccess Editor extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) htaccess Editor extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:10:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9515",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) htaccess Editor extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9515",
"datePublished": "2019-10-23T16:10:04",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0707 (GCVE-0-2022-0707)
Vulnerability from cvelistv5
Published
2022-04-18 17:10
Modified
2024-08-02 23:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack
References
| ▼ | URL | Tags |
|---|---|---|
| https://plugins.trac.wordpress.org/changeset/2697388 | x_refsource_CONFIRM | |
| https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Version: 2.11.6 < 2.11.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.425Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.6",
"status": "affected",
"version": "2.11.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "muhamad hidayat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T17:10:31",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 2.11.6 - Arbitrary Payment Note Insertion via CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0707",
"STATE": "PUBLIC",
"TITLE": "Easy Digital Downloads \u003c 2.11.6 - Arbitrary Payment Note Insertion via CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.11.6",
"version_value": "2.11.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "muhamad hidayat"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://plugins.trac.wordpress.org/changeset/2697388",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"name": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0707",
"datePublished": "2022-04-18T17:10:31",
"dateReserved": "2022-02-21T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12875 (GCVE-0-2024-12875)
Vulnerability from cvelistv5
Published
2024-12-21 11:22
Modified
2024-12-28 00:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-73 - External Control of File Name or Path
Summary
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Version: * ≤ 3.3.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-23T16:40:48.216633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-28T00:48:38.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.3.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sajjad Ahmad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-21T11:22:44.638Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ec065da7-b8aa-414d-9673-5caf87ad45b5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3131805/easy-digital-downloads/tags/3.3.3/includes/process-download.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-20T21:27:52.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Digital Downloads \u003c= 3.3.2 - Authenticated (Admin+) Arbitrary File Download"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12875",
"datePublished": "2024-12-21T11:22:44.638Z",
"dateReserved": "2024-12-20T21:27:38.381Z",
"dateUpdated": "2024-12-28T00:48:38.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9514 (GCVE-0-2015-9514)
Vulnerability from cvelistv5
Published
2019-10-23 16:10
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Free Downloads extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Free Downloads extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:10:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9514",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Free Downloads extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9514",
"datePublished": "2019-10-23T16:10:22",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9525 (GCVE-0-2015-9525)
Vulnerability from cvelistv5
Published
2019-10-23 16:00
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Recurring Payments extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Recurring Payments extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:00:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9525",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Recurring Payments extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9525",
"datePublished": "2019-10-23T16:00:49",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9505 (GCVE-0-2015-9505)
Vulnerability from cvelistv5
Published
2019-10-23 16:13
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) core component 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7 for WordPress has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) core component 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7 for WordPress has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:13:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9505",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) core component 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7 for WordPress has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9505",
"datePublished": "2019-10-23T16:13:41",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9519 (GCVE-0-2015-9519)
Vulnerability from cvelistv5
Published
2019-10-23 16:07
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) PDF Stamper extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) PDF Stamper extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:07:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9519",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) PDF Stamper extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9519",
"datePublished": "2019-10-23T16:07:51",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13517 (GCVE-0-2024-13517)
Vulnerability from cvelistv5
Published
2025-01-18 07:05
Modified
2025-01-21 21:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Version: * ≤ 3.3.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T21:24:19.017789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T21:24:23.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.3.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sajjad Ahmad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-18T07:05:09.175Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8d745937-4b0a-480a-9771-8af3288ee98f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3131805%40easy-digital-downloads\u0026new=3131805%40easy-digital-downloads\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-17T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Digital Downloads \u2013 Sell Digital Files \u0026 Subscriptions (eCommerce Store + Payments Made Easy) \u003c= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Title"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13517",
"datePublished": "2025-01-18T07:05:09.175Z",
"dateReserved": "2025-01-17T18:20:00.423Z",
"dateUpdated": "2025-01-21T21:24:23.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9522 (GCVE-0-2015-9522)
Vulnerability from cvelistv5
Published
2019-10-23 16:02
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) QR Code extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.362Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) QR Code extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:02:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9522",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) QR Code extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9522",
"datePublished": "2019-10-23T16:02:54",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9654 (GCVE-0-2024-9654)
Vulnerability from cvelistv5
Published
2024-12-17 11:10
Modified
2024-12-17 17:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Version: 3.1 ≤ 3.3.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9654",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T15:25:04.981581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T17:29:09.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.3.4",
"status": "affected",
"version": "3.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the \u0027verify_guest_email\u0027 function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T11:10:18.973Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d3f4de75-abf5-46e8-854d-be91ed74a5f3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3188001/easy-digital-downloads/trunk/includes/blocks/includes/orders/functions.php?old=2990247\u0026old_path=easy-digital-downloads%2Ftrunk%2Fincludes%2Fblocks%2Fincludes%2Forders%2Ffunctions.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-08T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-12-16T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9654",
"datePublished": "2024-12-17T11:10:18.973Z",
"dateReserved": "2024-10-08T19:39:51.722Z",
"dateUpdated": "2024-12-17T17:29:09.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43162 (GCVE-0-2024-43162)
Vulnerability from cvelistv5
Published
2024-11-01 14:17
Modified
2024-11-01 19:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.2.12.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Easy Digital Downloads | Easy Digital Downloads |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T19:28:25.626587Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T19:38:43.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "easy-digital-downloads",
"product": "Easy Digital Downloads",
"vendor": "Easy Digital Downloads",
"versions": [
{
"changes": [
{
"at": "3.3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.2.12",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "justakazh (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Easy Digital Downloads: from n/a through 3.2.12.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.2.12."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:17:42.296Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-12-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.3.1 or a higher version."
}
],
"value": "Update to 3.3.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Easy Digital Downloads plugin \u003c= 3.2.12 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43162",
"datePublished": "2024-11-01T14:17:42.296Z",
"dateReserved": "2024-08-07T09:19:37.567Z",
"dateUpdated": "2024-11-01T19:38:43.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0706 (GCVE-0-2022-0706)
Vulnerability from cvelistv5
Published
2022-04-18 17:10
Modified
2024-08-02 23:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907 | x_refsource_MISC | |
| https://plugins.trac.wordpress.org/changeset/2697388 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Version: 2.11.6 < 2.11.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.6",
"status": "affected",
"version": "2.11.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "muhamad hidayat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T17:10:29",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 2.11.6 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0706",
"STATE": "PUBLIC",
"TITLE": "Easy Digital Downloads \u003c 2.11.6 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.11.6",
"version_value": "2.11.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "muhamad hidayat"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2697388",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0706",
"datePublished": "2022-04-18T17:10:29",
"dateReserved": "2022-02-21T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9521 (GCVE-0-2015-9521)
Vulnerability from cvelistv5
Published
2019-10-23 16:03
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.313Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:03:40",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9521",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9521",
"datePublished": "2019-10-23T16:03:40",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9510 (GCVE-0-2015-9510)
Vulnerability from cvelistv5
Published
2019-10-23 16:12
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Cross-sell Upsell extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.322Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Cross-sell Upsell extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:12:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9510",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Cross-sell Upsell extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9510",
"datePublished": "2019-10-23T16:12:02",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9511 (GCVE-0-2015-9511)
Vulnerability from cvelistv5
Published
2019-10-23 16:11
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Conditional Success Redirects extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.259Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Conditional Success Redirects extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:11:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9511",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Conditional Success Redirects extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9511",
"datePublished": "2019-10-23T16:11:30",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9533 (GCVE-0-2015-9533)
Vulnerability from cvelistv5
Published
2019-10-23 15:55
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Lattice theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.246Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Lattice theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T15:55:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9533",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Lattice theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9533",
"datePublished": "2019-10-23T15:55:16",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9524 (GCVE-0-2015-9524)
Vulnerability from cvelistv5
Published
2019-10-23 16:01
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Recount Earnings extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Recount Earnings extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:01:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9524",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Recount Earnings extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9524",
"datePublished": "2019-10-23T16:01:31",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2387 (GCVE-0-2022-2387)
Vulnerability from cvelistv5
Published
2022-11-07 00:00
Modified
2025-05-05 20:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Version: 3.0 < 3.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:06.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2387",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T20:26:18.816586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T20:26:52.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0",
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-07T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 3.0 - Arbitrary Post Deletion via CSRF",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2387",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-07-12T00:00:00.000Z",
"dateUpdated": "2025-05-05T20:26:52.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9535 (GCVE-0-2015-9535)
Vulnerability from cvelistv5
Published
2019-10-23 15:53
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Shoppette theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Shoppette theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T15:53:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9535",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Shoppette theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9535",
"datePublished": "2019-10-23T15:53:21",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0659 (GCVE-0-2024-0659)
Vulnerability from cvelistv5
Published
2024-02-05 21:21
Modified
2024-08-01 18:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smub | Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) |
Version: * ≤ 3.2.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-17T23:45:30.506108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:58:50.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:11:35.734Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec207cd-cae5-4950-bbc8-d28f108b4ae7?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/easy-digital-downloads/tags/3.2.6\u0026old=3030600\u0026new_path=/easy-digital-downloads/tags/3.2.7\u0026new=3030600\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026 Payments Made Easy)",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.2.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "emad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026 Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-05T21:21:35.898Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec207cd-cae5-4950-bbc8-d28f108b4ae7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/easy-digital-downloads/tags/3.2.6\u0026old=3030600\u0026new_path=/easy-digital-downloads/tags/3.2.7\u0026new=3030600\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-02T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0659",
"datePublished": "2024-02-05T21:21:35.898Z",
"dateReserved": "2024-01-17T16:10:41.337Z",
"dateUpdated": "2024-08-01T18:11:35.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9516 (GCVE-0-2015-9516)
Vulnerability from cvelistv5
Published
2019-10-23 16:08
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.199Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:08:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9516",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9516",
"datePublished": "2019-10-23T16:08:55",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9518 (GCVE-0-2015-9518)
Vulnerability from cvelistv5
Published
2019-10-23 16:08
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) PDF Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) PDF Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:08:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9518",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) PDF Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9518",
"datePublished": "2019-10-23T16:08:11",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9526 (GCVE-0-2015-9526)
Vulnerability from cvelistv5
Published
2019-10-23 16:00
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Reviews extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Reviews extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T16:00:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9526",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Reviews extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9526",
"datePublished": "2019-10-23T16:00:15",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4670 (GCVE-0-2025-4670)
Vulnerability from cvelistv5
Published
2025-05-29 08:22
Modified
2025-05-29 14:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edd_receipt shortcode in all versions up to, and including, 3.3.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Version: * ≤ 3.3.8.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-29T14:04:53.007231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T14:05:08.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.3.8.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "muhammad yudha"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s edd_receipt shortcode in all versions up to, and including, 3.3.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T08:22:03.121Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95c5bfc5-53b3-482f-856b-db6b6cac93a2?source=cve"
},
{
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3301852/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-28T19:44:57.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Digital Downloads \u003c= 3.3.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via edd_receipt Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-4670",
"datePublished": "2025-05-29T08:22:03.121Z",
"dateReserved": "2025-05-13T22:16:30.461Z",
"dateUpdated": "2025-05-29T14:05:08.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9529 (GCVE-0-2015-9529)
Vulnerability from cvelistv5
Published
2019-10-23 15:57
Modified
2024-08-06 08:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-23T15:57:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9529",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/",
"refsource": "MISC",
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9529",
"datePublished": "2019-10-23T15:57:57",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-08-16 21:15
Modified
2025-02-07 19:44
Severity ?
Summary
The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://wordpress.org/plugins/easy-digital-downloads/#developers | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://wpvulndb.com/vulnerabilities/9334 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wordpress.org/plugins/easy-digital-downloads/#developers | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpvulndb.com/vulnerabilities/9334 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "A0422E7E-A4FD-45C6-B7AC-8281FCC67A95",
"versionEndExcluding": "2.9.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging."
},
{
"lang": "es",
"value": "El plugin easy-digital-downloads versiones anteriores a 2.9.16 para WordPress, presenta una vulnerabilidad de tipo XSS relacionada con el registro de direcciones IP."
}
],
"id": "CVE-2019-15116",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-16T21:15:13.690",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://wpvulndb.com/vulnerabilities/9334"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://wpvulndb.com/vulnerabilities/9334"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Conditional Success Redirects extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:conditional_success_redirects:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "1D58F0DF-FD1E-4F30-A39A-DB585F58FDB8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Conditional Success Redirects extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Conditional Success Redirects de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9511",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.350",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-21 20:15
Modified
2025-02-07 19:44
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "1DF38AD9-FA9C-4BB1-8145-3AB41FAC3F75",
"versionEndIncluding": "2.11.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2."
},
{
"lang": "es",
"value": "El plugin Easy Digital Downloads de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado por medio de los par\u00e1metros $start_date y $end_date encontrados en el archivo ~/includes/admin/payments/class-payments-table.php que permite a atacantes inyectar scripts web arbitrarios, en versiones hasta la 2.11.2 incluy\u00e9ndola"
}
],
"id": "CVE-2021-39354",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-21T20:15:08.130",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BigTiger2020/word-press/blob/main/Easy%20Digital%20Downloads.md"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2616149/easy-digital-downloads/trunk/includes/admin/payments/class-payments-table.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39354"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BigTiger2020/word-press/blob/main/Easy%20Digital%20Downloads.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2616149/easy-digital-downloads/trunk/includes/admin/payments/class-payments-table.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39354"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) PDF Stamper extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:pdf_stamper:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "D908DA50-B8BA-4B16-ADAD-9C29480ED9A8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) PDF Stamper extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n PDF Stamper de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9519",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.867",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Software Licensing extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:software_licensing:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "A0F1D308-4A32-425C-9305-A59375BE8002",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Software Licensing extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Software Licensing de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9528",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:10.747",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-12 13:38
Modified
2025-02-07 17:07
Severity ?
3.3 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
Summary
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "57A2731D-24E1-417B-9BA0-BB6727C100C5",
"versionEndExcluding": "3.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 Sell Digital Files \u0026 Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
},
{
"lang": "es",
"value": "El complemento Easy Digital Downloads \u2013 Sell Digital Files \u0026amp; Subscriptions (eCommerce Store + Payments Made Easy) para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del valor de texto del acuerdo en todas las versiones hasta la 3.3.2 incluida debido a una desinfecci\u00f3n de entrada y un escape de salida insuficiente. Esto hace posible que atacantes autenticados, con acceso a nivel de administrador, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto solo afecta a las instalaciones multisitio y a las instalaciones en las que se ha deshabilitado unfiltered_html."
}
],
"id": "CVE-2024-6692",
"lastModified": "2025-02-07T17:07:33.633",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 2.5,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-12T13:38:39.843",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3131805/easy-digital-downloads/tags/3.3.3/includes/checkout/template.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e54d5ab2-40ba-4ad8-9a77-44aba37f0283?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:invoices:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "D1072C39-6A0C-4001-A7FC-2BE835E06667",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Invoices de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9516",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.677",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-09 19:15
Modified
2025-02-07 17:05
Severity ?
Summary
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.9. This makes it possible for unauthenticated attackers to download the debug log via Directory Listing. This file may include PII.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0EE21D7F-093B-44CF-A149-192B08052029",
"versionEndExcluding": "3.2.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 Sell Digital Files \u0026 Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.9. This makes it possible for unauthenticated attackers to download the debug log via Directory Listing. This file may include PII."
},
{
"lang": "es",
"value": "El complemento Easy Digital Downloads \u2013 Sell Digital Files \u0026amp; Subscriptions (eCommerce Store + Payments Made Easy) para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n confidencial en todas las versiones hasta la 3.2.9 incluida. Esto hace posible que atacantes no autenticados descarguen el registro de depuraci\u00f3n a trav\u00e9s del Listado de directorios. Este archivo puede incluir PII."
}
],
"id": "CVE-2024-2302",
"lastModified": "2025-02-07T17:05:52.550",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2024-04-09T19:15:30.990",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/class-edd-logging.php#L621"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3060808%40easy-digital-downloads%2Ftrunk\u0026old=3042139%40easy-digital-downloads%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0837ba20-4b47-4cc8-9eb3-322289513d79?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/class-edd-logging.php#L621"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3060808%40easy-digital-downloads%2Ftrunk\u0026old=3042139%40easy-digital-downloads%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0837ba20-4b47-4cc8-9eb3-322289513d79?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Simple Shipping extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:simple_shipping:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "354D12E0-D5F2-44FA-91F2-55DF9DC97FBF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Simple Shipping extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Simple Shipping de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9527",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:10.667",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-01 11:15
Modified
2025-02-07 19:44
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Easy Digital Downloads Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) allows Stored XSS.This issue affects Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy): from n/a through 3.2.5.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C80EF8FF-AECE-4903-B35E-FB54533EF2FD",
"versionEndIncluding": "3.2.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Easy Digital Downloads Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026 Payments Made Easy) allows Stored XSS.This issue affects Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026 Payments Made Easy): from n/a through 3.2.5.\n\n"
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante de generaci\u00f3n de p\u00e1ginas web (\u0027Cross-site Scripting\u0027) en Easy Digital Downloads Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026amp; Payments Made Easy) permite XSS almacenado. Este problema afecta a Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026amp; Payments Made Easy): desde n/a hasta 3.2.5."
}
],
"id": "CVE-2023-51684",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-01T11:15:11.260",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Recount Earnings extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:recount_earnings:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "0357A7D9-B5E1-4232-9E51-B652A7866FDA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Recount Earnings extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Recount Earnings de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9524",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:12.177",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Commissions extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:commissions:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "ED2CD1F4-4CCD-4D4C-8999-9DB043DCD068",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Commissions extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Commissions de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9508",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.147",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-18 07:15
Modified
2025-02-07 17:10
Severity ?
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "57A2731D-24E1-417B-9BA0-BB6727C100C5",
"versionEndExcluding": "3.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
},
{
"lang": "es",
"value": "El complemento Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del valor del t\u00edtulo en todas las versiones hasta la 3.3.2 y incluida, debido a un escape de entrada y salida insuficiente de desinfecci\u00f3n. Esto permite que atacantes autenticados, con acceso de nivel de administrador, inyecten Scripts web arbitraria en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto solo afecta a instalaciones multisitio e instalaciones donde se ha deshabilitado unfiltered_html."
}
],
"id": "CVE-2024-13517",
"lastModified": "2025-02-07T17:10:03.317",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-18T07:15:09.350",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3131805%40easy-digital-downloads\u0026new=3131805%40easy-digital-downloads\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8d745937-4b0a-480a-9771-8af3288ee98f?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Free Downloads extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:free_downloads:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "60C97A40-C002-449B-9E41-0D2EF8C6E7CF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Free Downloads extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Free Downloads de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9514",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.553",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) QR Code extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:qr_code:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "CD47ED50-DD3C-442E-B9CD-CAACA37AFAE2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) QR Code extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n QR Code de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9522",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:12.067",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-16 21:15
Modified
2025-02-07 19:44
Severity ?
Summary
The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://wordpress.org/plugins/easy-digital-downloads/#developers | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://wpvulndb.com/vulnerabilities/9770 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wordpress.org/plugins/easy-digital-downloads/#developers | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpvulndb.com/vulnerabilities/9770 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "BF52264F-62D8-4B41-A068-ED81234A485F",
"versionEndExcluding": "2.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection."
},
{
"lang": "es",
"value": "El plugin easy-digital-downloads versiones anteriores a 2.3.3 para WordPress, presenta una inyecci\u00f3n SQL."
}
],
"id": "CVE-2015-9324",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-16T21:15:10.550",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://wpvulndb.com/vulnerabilities/9770"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://wpvulndb.com/vulnerabilities/9770"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-07 10:15
Modified
2025-05-05 21:15
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "99F997B0-A64D-4F62-8859-406672E9E4ED",
"versionEndExcluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack"
},
{
"lang": "es",
"value": "El complemento de WordPress Easy Digital Downloads anterior a 3.0 no cuenta con verificaci\u00f3n CSRF al eliminar el historial de pagos y no garantiza que la publicaci\u00f3n que se eliminar\u00e1 sea en realidad un historial de pagos. Como resultado, los atacantes podr\u00edan hacer que un administrador que haya iniciado sesi\u00f3n elimine una publicaci\u00f3n arbitraria mediante un ataque CSRF."
}
],
"id": "CVE-2022-2387",
"lastModified": "2025-05-05T21:15:45.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-07T10:15:11.413",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "contact@wpscan.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-18 18:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://plugins.trac.wordpress.org/changeset/2697388 | Patch, Third Party Advisory | |
| contact@wpscan.com | https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://plugins.trac.wordpress.org/changeset/2697388 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907 | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "2EB21186-E503-4EFE-B0AD-5D6E6FE5F4FC",
"versionEndExcluding": "2.11.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed"
},
{
"lang": "es",
"value": "El plugin Easy Digital Downloads de WordPress versiones anteriores a 2.11.6 no sanea ni escapa del nombre del archivo descargable en los registros, lo que podr\u00eda permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting cuando la capacidad unfiltered_html no est\u00e1 permitida"
}
],
"id": "CVE-2022-0706",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-18T18:15:08.253",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Per Product Emails extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:per_product_emails:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "27CED7DC-CCDB-4198-992C-5F5062EC3DC3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Per Product Emails extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Per Product Emails de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9520",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.927",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-02 10:15
Modified
2025-02-07 19:44
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation. This issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "A14CC86E-2556-4D49-BF54-72AB5F1B8C21",
"versionEndExcluding": "3.1.1.4.2",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation.\u00a0This issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1."
}
],
"id": "CVE-2023-30869",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-02T10:15:09.357",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://patchstack.com/articles/critical-easy-digital-downloads-vulnerability?_s_id=cve"
},
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-1-1-4-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://patchstack.com/articles/critical-easy-digital-downloads-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-1-1-4-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) core component 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7 for WordPress has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) core component 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7 for WordPress has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "El componente principal de Easy Digital Downloads (EDD) versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7 para WordPress, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9505",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:10.910",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-29 14:15
Modified
2025-02-07 19:44
Severity ?
9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Easy Digital Downloads allows SQL Injection.This issue affects Easy Digital Downloads: from n/a through 3.2.12.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "B9FC1CDB-315E-43A1-A4F7-CFA86AD7F2CC",
"versionEndIncluding": "3.2.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Easy Digital Downloads allows SQL Injection.This issue affects Easy Digital Downloads: from n/a through 3.2.12."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando SQL (\u0027Inyecci\u00f3n SQL\u0027) en Easy Digital Downloads permite la inyecci\u00f3n SQL. Este problema afecta a Easy Digital Downloads: desde n/a hasta 3.2.12."
}
],
"id": "CVE-2024-5057",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-29T14:15:09.080",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-12-sql-injection-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Manual Purchases extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:manual_purchases:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "06CC2721-D1F5-466A-95F9-987F1825433D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Manual Purchases extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Manual Purchases de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9517",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.740",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:amazon_s3:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "B9B2DEA6-A1ED-4DD2-A243-EA9B00852B8C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n de Amazon S3 de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9506",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.007",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Recurring Payments extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:recurring_payments:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "1044B68E-DB8E-4389-A15C-00DB5CC409EE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Recurring Payments extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Recurring Payments de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9525",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:10.527",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Reviews extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:reviews:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "F1F45985-58BF-4B16-A60E-1956896641F1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Reviews extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Reviews de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9526",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:10.590",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-25 07:15
Modified
2025-08-08 19:21
Severity ?
Summary
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "ED95A51B-3D09-4138-9986-CDFE9114A648",
"versionEndExcluding": "3.3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal."
},
{
"lang": "es",
"value": "El complemento Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n confidencial en todas las versiones hasta la 3.3.6.1 incluida, a trav\u00e9s de la funci\u00f3n edd_ajax_get_download_title(). Esto permite a atacantes no autenticados extraer t\u00edtulos privados de las publicaciones de las descargas. El impacto en este caso es m\u00ednimo."
}
],
"id": "CVE-2025-2252",
"lastModified": "2025-08-08T19:21:17.160",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2025-03-25T07:15:38.337",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.3.6.1/includes/ajax-functions.php#L459"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.3.6.1/includes/ajax-functions.php#L466"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3257409/easy-digital-downloads/trunk/includes/ajax-functions.php?contextall=1"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3257409/easy-digital-downloads/trunk/includes/ajax-functions.php?old=3226442\u0026old_path=easy-digital-downloads%2Ftrunk%2Fincludes%2Fajax-functions.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e0e3b81-55fe-46b2-bae1-d7321d74c485?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@wordfence.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-22 15:15
Modified
2025-02-20 21:15
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| audit@patchstack.com | https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-0-1-php-object-injection-vulnerability | Patch, Third Party Advisory | |
| audit@patchstack.com | https://wordpress.org/plugins/easy-digital-downloads/#developers | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-0-1-php-object-injection-vulnerability | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wordpress.org/plugins/easy-digital-downloads/#developers | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "EBEAC57A-0D0D-4F7B-9876-E342640846E3",
"versionEndIncluding": "3.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHP Object Injection vulnerability in Easy Digital Downloads plugin \u003c= 3.0.1 at WordPress."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n de objetos en PHP en el plugin Easy Digital Downloads versiones anteriores a 3.0.1 incluy\u00e9ndola, en WordPress."
}
],
"id": "CVE-2022-33900",
"lastModified": "2025-02-20T21:15:21.680",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 3.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-22T15:15:15.893",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-0-1-php-object-injection-vulnerability"
},
{
"source": "audit@patchstack.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-0-1-php-object-injection-vulnerability"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Twenty-Twelve theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:twenty-twelve:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "ACEC549E-B8D9-4405-9C4E-A33953EE1A79",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Twenty-Twelve theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "El tema Twenty-Twelve de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9536",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:11.340",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Content Restriction extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:content_restriction:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "D474C551-6721-4B97-943F-D6B6DB37C045",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Content Restriction extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Content Restriction de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9509",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.223",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-05-29 09:15
Modified
2025-08-12 19:59
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edd_receipt shortcode in all versions up to, and including, 3.3.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0E97A0F6-B94F-4574-97C9-96C8F5549E7C",
"versionEndExcluding": "3.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s edd_receipt shortcode in all versions up to, and including, 3.3.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
},
{
"lang": "es",
"value": "El complemento Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del shortcode edd_receipt en todas las versiones hasta la 3.3.8.1 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."
}
],
"id": "CVE-2025-4670",
"lastModified": "2025-08-12T19:59:47.947",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-05-29T09:15:27.113",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/changeset/3301852/"
},
{
"source": "security@wordfence.com",
"tags": [
"Release Notes"
],
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95c5bfc5-53b3-482f-856b-db6b6cac93a2?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-05 22:16
Modified
2025-02-07 19:44
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
The Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "5ED08F9C-B4DE-4E5C-9A02-34599699F13A",
"versionEndIncluding": "3.2.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026 Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
},
{
"lang": "es",
"value": "El complemento Easy Digital Downloads \u2013 Sell Digital Files (eCommerce Store \u0026amp; Payments Made Easy) para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del t\u00edtulo de la opci\u00f3n de precio variable en todas las versiones hasta la 3.2.6 incluida, debido a una sanitizaci\u00f3n de entrada insuficiente y la salida se escapa. Esto hace posible que atacantes autenticados, con acceso a nivel de administrador de tienda, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."
}
],
"id": "CVE-2024-0659",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-05T22:16:03.343",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/easy-digital-downloads/tags/3.2.6\u0026old=3030600\u0026new_path=/easy-digital-downloads/tags/3.2.7\u0026new=3030600\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec207cd-cae5-4950-bbc8-d28f108b4ae7?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/easy-digital-downloads/tags/3.2.6\u0026old=3030600\u0026new_path=/easy-digital-downloads/tags/3.2.7\u0026new=3030600\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec207cd-cae5-4950-bbc8-d28f108b4ae7?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-17 12:15
Modified
2025-02-07 17:08
Severity ?
Summary
The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "F28B49C0-5A54-44DB-A21E-342C69B6F5E1",
"versionEndExcluding": "3.3.5",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the \u0027verify_guest_email\u0027 function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased."
},
{
"lang": "es",
"value": "El complemento Easy Digital Downloads para WordPress es vulnerable a la autorizaci\u00f3n incorrecta en las versiones 3.1 a 3.3.4. Esto se debe a la falta de suficientes comprobaciones de validaci\u00f3n dentro de la funci\u00f3n \u0027verify_guest_email\u0027 para garantizar que el usuario solicitante sea el destinatario previsto del recibo de compra. Esto permite que atacantes no autenticados eludan las restricciones de seguridad previstas y vean los recibos de otros usuarios, que contienen un enlace para descargar contenido pago. Para explotar esta vulnerabilidad con \u00e9xito es necesario conocer la direcci\u00f3n de correo electr\u00f3nico de otro cliente, as\u00ed como el ID del archivo del contenido que compr\u00f3."
}
],
"id": "CVE-2024-9654",
"lastModified": "2025-02-07T17:08:58.940",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2024-12-17T12:15:21.157",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3188001/easy-digital-downloads/trunk/includes/blocks/includes/orders/functions.php?old=2990247\u0026old_path=easy-digital-downloads%2Ftrunk%2Fincludes%2Fblocks%2Fincludes%2Forders%2Ffunctions.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d3f4de75-abf5-46e8-854d-be91ed74a5f3?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-12 13:38
Modified
2025-02-07 17:06
Severity ?
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "57A2731D-24E1-417B-9BA0-BB6727C100C5",
"versionEndExcluding": "3.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 Sell Digital Files \u0026 Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
},
{
"lang": "es",
"value": "El complemento Easy Digital Downloads \u2013 Sell Digital Files \u0026amp; Subscriptions (eCommerce Store + Payments Made Easy) para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del valor de la moneda en todas las versiones hasta la 3.3.2 incluida debido a una desinfecci\u00f3n de entrada insuficiente y la salida se escapa. Esto hace posible que atacantes autenticados, con acceso a nivel de administrador, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto solo afecta a las instalaciones multisitio y a las instalaciones en las que se ha deshabilitado unfiltered_html."
}
],
"id": "CVE-2024-6691",
"lastModified": "2025-02-07T17:06:37.413",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-12T13:38:39.607",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3131805/easy-digital-downloads/tags/3.3.3/src/Admin/Settings/Sanitize.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0459a6bd-334d-43b7-b289-271108564a53?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-13 15:15
Modified
2025-02-07 16:50
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Missing Authorization vulnerability in Easy Digital Downloads Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.1.5.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "03FA0774-B653-4055-B40F-AA8B28E3709D",
"versionEndExcluding": "3.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Easy Digital Downloads Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.1.5."
},
{
"lang": "es",
"value": "Vulnerabilidad de autorizaci\u00f3n faltante en Easy Digital Downloads Easy Digital Downloads permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Easy Digital Downloads: desde n/a hasta 3.1.5."
}
],
"id": "CVE-2023-40005",
"lastModified": "2025-02-07T16:50:09.530",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-13T15:15:21.153",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/wordpress/plugin/easy-digital-downloads/vulnerability/wordpress-easy-digital-downloads-plugin-3-1-5-broken-access-control?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:pushover_notifications:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "245FF0E1-F2C4-4F22-B2C6-A07086E79249",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Pushover Notifications de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9521",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:12.007",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) CSV Manager extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:csv_manager:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "085AD230-C95C-44DC-A69D-4745EC5BAD96",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) CSV Manager extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n CSV Manager de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9512",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.427",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Attach Accounts to Orders extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:attach_accounts_to_orders:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "5114A7D9-63E5-4BF3-A7B7-C690988F91D6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Attach Accounts to Orders extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Attach Accounts to Orders de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9507",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.083",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Favorites extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:favorites:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "747BEDA7-843B-4CD0-94AD-931A14BB8852",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Favorites extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Favorites de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9513",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.490",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-24 03:15
Modified
2025-02-07 17:08
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'upload[file]' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using a PHAR wrapper, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C29ABEF0-C244-41BF-9B64-4A772BFD21F0",
"versionEndExcluding": "3.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the \u0027upload[file]\u0027 parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using a PHAR wrapper, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present."
},
{
"lang": "es",
"value": "El complemento Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files para WordPress es vulnerable a la deserializaci\u00f3n de entradas no confiables a trav\u00e9s del par\u00e1metro \u0027upload[file]\u0027 en versiones hasta la 3.3.3 incluida. Esto permite que los usuarios administrativos autenticados llamen a archivos mediante un contenedor PHAR, que deserializar\u00e1 y llamar\u00e1 a objetos PHP arbitrarios que se pueden usar para realizar una variedad de acciones maliciosas siempre que tambi\u00e9n est\u00e9 presente una cadena POP."
}
],
"id": "CVE-2022-2439",
"lastModified": "2025-02-07T17:08:10.297",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-24T03:15:02.040",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3154854/easy-digital-downloads/tags/3.3.4/includes/admin/import/import-functions.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3154854/easy-digital-downloads/tags/3.3.4/src/Utils/FileSystem.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/644c8702-08ad-4048-ae91-041f1771f1dc?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Shoppette theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:shoppette:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "B35206B0-5FB3-47D5-8331-61A164949600",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Shoppette theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "El tema Shoppette de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD 1.8.x anteriores a 1.8.7, 1.9.x antes 1.9.10, 2.0.x antes 2.0.5, 2.1.x antes 2.1.11, 2.2. x anteriores a 2.2.9, y 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9535",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:11.277",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) PDF Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:pdf_invoices:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "17BD78A2-C7A1-41DE-90EB-A1FD14AD90CC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) PDF Invoices extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n PDF Invoices de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9518",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.803",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-01 15:15
Modified
2025-02-07 16:51
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.2.12.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "DD7F9839-7688-4D6E-B239-F349202246B5",
"versionEndExcluding": "3.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.2.12."
},
{
"lang": "es",
"value": "La vulnerabilidad de autorizaci\u00f3n faltante en Easy Digital Downloads permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Easy Digital Downloads: desde n/a hasta 3.2.12."
}
],
"id": "CVE-2024-43162",
"lastModified": "2025-02-07T16:51:51.807",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-01T15:15:40.687",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-12-broken-access-control-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-21 12:15
Modified
2025-02-07 17:09
Severity ?
Summary
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "57A2731D-24E1-417B-9BA0-BB6727C100C5",
"versionEndExcluding": "3.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
},
{
"lang": "es",
"value": "El complemento Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy para WordPress es vulnerable a Directory Traversal en todas las versiones hasta la 3.3.2 incluida a trav\u00e9s de la funci\u00f3n de descarga de archivos. Esto permite que atacantes autenticados, con acceso de nivel de administrador o superior, lean el contenido de archivos arbitrarios en el servidor, que pueden contener informaci\u00f3n confidencial."
}
],
"id": "CVE-2024-12875",
"lastModified": "2025-02-07T17:09:37.010",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2024-12-21T12:15:20.910",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3131805/easy-digital-downloads/tags/3.3.3/includes/process-download.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ec065da7-b8aa-414d-9673-5caf87ad45b5?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-73"
}
],
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-18 18:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://plugins.trac.wordpress.org/changeset/2697388 | Patch, Third Party Advisory | |
| contact@wpscan.com | https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://plugins.trac.wordpress.org/changeset/2697388 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117 | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "2EB21186-E503-4EFE-B0AD-5D6E6FE5F4FC",
"versionEndExcluding": "2.11.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack"
},
{
"lang": "es",
"value": "El plugin Easy Digital Downloads de WordPress versiones anteriores a 2.11.6, no presenta comprobaci\u00f3n de tipo CSRF cuando son insertadas notas de pago, lo que podr\u00eda permitir a atacantes hacer que un administrador registrado inserte notas arbitrarias por medio de un ataque de tipo CSRF"
}
],
"id": "CVE-2022-0707",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-18T18:15:08.307",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Wish Lists extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:wish_lists:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "824EF4CD-7083-4A82-AD99-0DB1C8B7A6BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Wish Lists extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Wish Lists de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9531",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:10.963",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Cross-sell Upsell extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:cross-sell_and_upsell:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "5C837B73-E1E3-4A33-9873-FF913D0168D3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Cross-sell Upsell extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Cross-sell Upsell de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9510",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.270",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Lattice theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:lattice:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "FA3C165F-B9D8-4613-B25F-0597A6CC120D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Lattice theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "El tema Lattice de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9533",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:11.107",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-21 11:15
Modified
2025-04-30 14:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/16e2d970-19d0-42d1-8fb1-e7cb14ace1d0 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/16e2d970-19d0-42d1-8fb1-e7cb14ace1d0 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4B193C23-F5A5-454B-9A38-A346BFFB6C7B",
"versionEndExcluding": "3.1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection."
},
{
"lang": "es",
"value": "El complemento de WordPress Easy Digital Downloads anterior a 3.1.0.2 no valida los datos cuando se generan en un archivo CSV, lo que podr\u00eda provocar una inyecci\u00f3n de CSV."
}
],
"id": "CVE-2022-3600",
"lastModified": "2025-04-30T14:15:24.883",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-21T11:15:20.410",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/16e2d970-19d0-42d1-8fb1-e7cb14ace1d0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/16e2d970-19d0-42d1-8fb1-e7cb14ace1d0"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Digital Store theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:digital_store:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "128D0EC8-0D55-4E2E-A524-4ABF8F7CC63A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Digital Store theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "El tema Digital Store de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9532",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:11.027",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Quota theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:quota:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "ECE602D1-9BCF-4C69-A3AC-FEDADD88896B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Quota theme for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "El tema Quota de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9534",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:11.200",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Recommended Products extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:recommended_products:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "988E9486-36F6-4714-86EC-FCDF6D1E2D9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Recommended Products extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Recommended Products de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9523",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:12.130",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Upload File extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:upload_file:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "5123BFB5-419D-418C-8532-2959C48D6AB0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Upload File extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Upload File de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9530",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:10.903",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 16:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:stripe:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "136B6679-4AEC-4958-A519-868F4763C6AB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n Stripe de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9529",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T16:15:10.807",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-23 17:15
Modified
2025-02-07 19:44
Severity ?
Summary
The Easy Digital Downloads (EDD) htaccess Editor extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF9FEDCE-C0AE-4045-B71B-59D4FCA1F769",
"versionEndExcluding": "1.8.7",
"versionStartIncluding": "1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB250869-BD89-4639-9D18-708032CC3251",
"versionEndExcluding": "1.9.10",
"versionStartIncluding": "1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "069AA087-DA95-4BD1-973F-B53E0DD8E658",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4BA7E3D6-4B3F-4C5C-B7B4-B3F716CB4045",
"versionEndExcluding": "2.1.11",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "449E6BE0-6A82-4FD4-8F48-865B35DCE0FA",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:awesomemotive:easy_digital_downloads:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0ED07242-1A2A-4F42-ABDD-46642EA07E44",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:easydigitaldownloads:htaccess_editor:-:*:*:*:*:easy_digital_downloads:*:*",
"matchCriteriaId": "E72CA42B-09BE-41AA-A4D0-0683077D841A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads (EDD) htaccess Editor extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused."
},
{
"lang": "es",
"value": "La extensi\u00f3n htaccess Editor de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el par\u00e1metro add_query_arg es usado inapropiadamente."
}
],
"id": "CVE-2015-9515",
"lastModified": "2025-02-07T19:44:53.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-23T17:15:11.617",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}