CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0707 – Easy Digital Downloads < 2.11.6 - Arbitrary Payment Note Insertion via CSRF
https://notcve.org/view.php?id=CVE-2022-0707
The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack El plugin Easy Digital Downloads de WordPress versiones anteriores a 2.11.6, no presenta comprobación de tipo CSRF cuando son insertadas notas de pago, lo que podría permitir a atacantes hacer que un administrador registrado inserte notas arbitrarias por medio de un ataque de tipo CSRF The Easy Digital Downloads WordPress plugin before version 2.11.6 does not have Cross-Site Request Forgery checks in place when inserting payment notes. This could allow attackers to make a logged admin insert arbitrary notes via a Cross-Site Request Forgery attack. • https://plugins.trac.wordpress.org/changeset/2697388 https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0706 – Easy Digital Downloads < 2.11.6 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0706
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed El plugin Easy Digital Downloads de WordPress versiones anteriores a 2.11.6 no sanea ni escapa del nombre del archivo descargable en los registros, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting cuando la capacidad unfiltered_html no está permitida • https://plugins.trac.wordpress.org/changeset/2697388 https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39354 – Easy Digital Downloads <= 2.11.2 Authenticated Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-39354
The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2. El plugin Easy Digital Downloads de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado por medio de los parámetros $start_date y $end_date encontrados en el archivo ~/includes/admin/payments/class-payments-table.php que permite a atacantes inyectar scripts web arbitrarios, en versiones hasta la 2.11.2 incluyéndola • https://github.com/BigTiger2020/word-press/blob/main/Easy%20Digital%20Downloads.md https://plugins.trac.wordpress.org/changeset/2616149/easy-digital-downloads/trunk/includes/admin/payments/class-payments-table.php https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39354 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2015-9508 – Easy Digital Downloads – Commissions <= 3.1.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-9508
The Easy Digital Downloads (EDD) Commissions extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused. La extensión Commissions de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el parámetro add_query_arg es usado inapropiadamente. • https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9324 – Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 2.3.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-9324
The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection. El plugin easy-digital-downloads versiones anteriores a 2.3.3 para WordPress, presenta una inyección SQL. The Easy Digital Downloads – Simple Ecommerce for Selling Digital Files WordPress plugin was affected by a SQL Injection security vulnerability. Versions up to, and including, 2.3.2 were affected. • https://wordpress.org/plugins/easy-digital-downloads/#developers https://wpvulndb.com/vulnerabilities/9770 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •