CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0659 – Easy Digital Downloads <= 3.2.6 - Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options
https://notcve.org/view.php?id=CVE-2024-0659
The Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del título de la opción de precio variable en todas las versiones hasta la 3.2.6 incluida, debido a una sanitización de entrada insuficiente y la salida se escapa. Esto hace posible que atacantes autenticados, con acceso a nivel de administrador de tienda, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset?old_path=/easy-digital-downloads/tags/3.2.6&old=3030600&new_path=/easy-digital-downloads/tags/3.2.7&new=3030600&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec207cd-cae5-4950-bbc8-d28f108b4ae7?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51684 – WordPress Easy Digital Downloads Plugin <= 3.2.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-51684
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Easy Digital Downloads Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) allows Stored XSS.This issue affects Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy): from n/a through 3.2.5. La vulnerabilidad de neutralización incorrecta de la entrada durante de generación de páginas web ('Cross-site Scripting') en Easy Digital Downloads Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) permite XSS almacenado. Este problema afecta a Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy): desde n/a hasta 3.2.5. The Easy Digital Downloads plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40005 – Easy Digital Downloads <= 3.1.5 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-40005
The Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.1.5. This makes it possible for unauthenticated attackers to perform an unauthorized action. • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0380 – Easy Digital Downloads < 3.1.0.5 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0380
The Easy Digital Downloads WordPress plugin before 3.1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Easy Digital Downloads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 3.1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page • https://wpscan.com/vulnerability/3256e090-1131-459d-ade5-f052cd5d189f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 10%CPEs: 1EXPL: 1CVE-2023-23489 – Easy Digital Downloads < 3.1.0.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2023-23489
The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action. The Easy Digital Downloads plugin for WordPress is vulnerable to SQL Injection in versions before 3.1.0.4 via the 's' parameter used in the 'edd_download_search' AJAX action. This allows unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://www.tenable.com/security/research/tra-2023-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •