CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0380 – Easy Digital Downloads < 3.1.0.5 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0380
30 Jan 2023 — The Easy Digital Downloads WordPress plugin before 3.1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Easy Digital Downloads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 3.1.0.4 due to insufficient input sanitization and output escapi... • https://wpscan.com/vulnerability/3256e090-1131-459d-ade5-f052cd5d189f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 83%CPEs: 1EXPL: 1CVE-2023-23489 – Easy Digital Downloads < 3.1.0.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2023-23489
12 Jan 2023 — The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action. The Easy Digital Downloads plugin for WordPress is vulnerable to SQL Injection in versions before 3.1.0.4 via the 's' parameter used in the 'edd_download_search' AJAX action. This allows unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive infor... • https://www.tenable.com/security/research/tra-2023-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2387 – Easy Digital Downloads < 3.0 - Arbitrary Post Deletion via CSRF
https://notcve.org/view.php?id=CVE-2022-2387
17 Oct 2022 — The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack El complemento de WordPress Easy Digital Downloads anterior a 3.0 no cuenta con verificación CSRF al eliminar el historial de pagos y no garantiza que la publicación que se eliminará sea en realidad un historial de pagos.... • https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3600 – Easy Digital Downloads < 3.1.0.2 - Unauthenticated CSV Injection
https://notcve.org/view.php?id=CVE-2022-3600
28 Sep 2022 — The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection. El complemento de WordPress Easy Digital Downloads anterior a 3.1.0.2 no valida los datos cuando se generan en un archivo CSV, lo que podría provocar una inyección de CSV. The Easy Digital Downloads plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 3.1.0.1.1. This allows unauthenticated attackers to embed untrusted input into ... • https://wpscan.com/vulnerability/16e2d970-19d0-42d1-8fb1-e7cb14ace1d0 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-33900 – WordPress Easy Digital Downloads plugin <= 3.0.1 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2022-33900
10 Aug 2022 — PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. Una vulnerabilidad de inyección de objetos en PHP en el plugin Easy Digital Downloads versiones anteriores a 3.0.1 incluyéndola, en WordPress. The Easy Digital Downloads plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input. This allows unauthenticated attackers to inject a PHP Object. • https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-0-1-php-object-injection-vulnerability • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0707 – Easy Digital Downloads < 2.11.6 - Arbitrary Payment Note Insertion via CSRF
https://notcve.org/view.php?id=CVE-2022-0707
09 Apr 2022 — The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack El plugin Easy Digital Downloads de WordPress versiones anteriores a 2.11.6, no presenta comprobación de tipo CSRF cuando son insertadas notas de pago, lo que podría permitir a atacantes hacer que un administrador registrado inserte notas arbitrarias por medio de un ataque de tipo CSRF The Easy Di... • https://plugins.trac.wordpress.org/changeset/2697388 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0706 – Easy Digital Downloads < 2.11.6 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0706
28 Mar 2022 — The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed El plugin Easy Digital Downloads de WordPress versiones anteriores a 2.11.6 no sanea ni escapa del nombre del archivo descargable en los registros, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting c... • https://plugins.trac.wordpress.org/changeset/2697388 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39354 – Easy Digital Downloads <= 2.11.2 Authenticated Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-39354
21 Oct 2021 — The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2. El plugin Easy Digital Downloads de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado por medio de los parámetros $start_date y $end_date encontrados en el archivo ~/includes/admin/paym... • https://github.com/BigTiger2020/word-press/blob/main/Easy%20Digital%20Downloads.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2015-9508 – Easy Digital Downloads – Commissions <= 3.1.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-9508
14 Oct 2019 — The Easy Digital Downloads (EDD) Commissions extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused. La extensión Commissions de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x ... • https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9324 – Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 2.3.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-9324
16 Aug 2019 — The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection. El plugin easy-digital-downloads versiones anteriores a 2.3.3 para WordPress, presenta una inyección SQL. The Easy Digital Downloads – Simple Ecommerce for Selling Digital Files WordPress plugin was affected by a SQL Injection security vulnerability. Versions up to, and including, 2.3.2 were affected. • https://wordpress.org/plugins/easy-digital-downloads/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •