CVE-2021-39354 – Easy Digital Downloads <= 2.11.2 Authenticated Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-39354
The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2. El plugin Easy Digital Downloads de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado por medio de los parámetros $start_date y $end_date encontrados en el archivo ~/includes/admin/payments/class-payments-table.php que permite a atacantes inyectar scripts web arbitrarios, en versiones hasta la 2.11.2 incluyéndola • https://github.com/BigTiger2020/word-press/blob/main/Easy%20Digital%20Downloads.md https://plugins.trac.wordpress.org/changeset/2616149/easy-digital-downloads/trunk/includes/admin/payments/class-payments-table.php https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39354 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-9508 – Easy Digital Downloads – Commissions <= 3.1.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-9508
The Easy Digital Downloads (EDD) Commissions extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused. La extensión Commissions de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el parámetro add_query_arg es usado inapropiadamente. • https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-9324 – Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 2.3.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-9324
The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection. El plugin easy-digital-downloads versiones anteriores a 2.3.3 para WordPress, presenta una inyección SQL. The Easy Digital Downloads – Simple Ecommerce for Selling Digital Files WordPress plugin was affected by a SQL Injection security vulnerability. Versions up to, and including, 2.3.2 were affected. • https://wordpress.org/plugins/easy-digital-downloads/#developers https://wpvulndb.com/vulnerabilities/9770 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-15116 – Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 2.9.15 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-15116
The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging. El plugin easy-digital-downloads versiones anteriores a 2.9.16 para WordPress, presenta una vulnerabilidad de tipo XSS relacionada con el registro de direcciones IP. • https://wordpress.org/plugins/easy-digital-downloads/#developers https://wpvulndb.com/vulnerabilities/9334 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-9506 – Easy Digital Downloads – Amazon S3 <= 2.1.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-9506
The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused. La extensión de Amazon S3 de Easy Digital Downloads (EDD) para WordPress, como es usada con EDD versiones 1.8.x anteriores a 1.8.7, versiones 1.9.x anteriores a 1.9.10, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.11, versiones 2.2.x anteriores a 2.2.9, y versiones 2.3.x anteriores a 2.3.7, presenta una vulnerabilidad de tipo XSS porque el parámetro add_query_arg es usado inapropiadamente. • https://web.archive.org/web/20160921003517/https://easydigitaldownloads.com/blog/security-fix-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •