Page 2 of 45 results (0.007 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack El complemento de WordPress Easy Digital Downloads anterior a 3.0 no cuenta con verificación CSRF al eliminar el historial de pagos y no garantiza que la publicación que se eliminará sea en realidad un historial de pagos. Como resultado, los atacantes podrían hacer que un administrador que haya iniciado sesión elimine una publicación arbitraria mediante un ataque CSRF. The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.11.7 . This is due to missing or incorrect nonce validation when deleting payment history. • https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection. El complemento de WordPress Easy Digital Downloads anterior a 3.1.0.2 no valida los datos cuando se generan en un archivo CSV, lo que podría provocar una inyección de CSV. The Easy Digital Downloads plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 3.1.0.1.1. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. • https://wpscan.com/vulnerability/16e2d970-19d0-42d1-8fb1-e7cb14ace1d0 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. Una vulnerabilidad de inyección de objetos en PHP en el plugin Easy Digital Downloads versiones anteriores a 3.0.1 incluyéndola, en WordPress. The Easy Digital Downloads plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input. This allows unauthenticated attackers to inject a PHP Object. • https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-0-1-php-object-injection-vulnerability https://wordpress.org/plugins/easy-digital-downloads/#developers • CWE-502: Deserialization of Untrusted Data •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack El plugin Easy Digital Downloads de WordPress versiones anteriores a 2.11.6, no presenta comprobación de tipo CSRF cuando son insertadas notas de pago, lo que podría permitir a atacantes hacer que un administrador registrado inserte notas arbitrarias por medio de un ataque de tipo CSRF The Easy Digital Downloads WordPress plugin before version 2.11.6 does not have Cross-Site Request Forgery checks in place when inserting payment notes. This could allow attackers to make a logged admin insert arbitrary notes via a Cross-Site Request Forgery attack. • https://plugins.trac.wordpress.org/changeset/2697388 https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1

The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed El plugin Easy Digital Downloads de WordPress versiones anteriores a 2.11.6 no sanea ni escapa del nombre del archivo descargable en los registros, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting cuando la capacidad unfiltered_html no está permitida • https://plugins.trac.wordpress.org/changeset/2697388 https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •