CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0706 – Easy Digital Downloads < 2.11.6 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0706
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed El plugin Easy Digital Downloads de WordPress versiones anteriores a 2.11.6 no sanea ni escapa del nombre del archivo descargable en los registros, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting cuando la capacidad unfiltered_html no está permitida • https://plugins.trac.wordpress.org/changeset/2697388 https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39354 – Easy Digital Downloads <= 2.11.2 Authenticated Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-39354
The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2. El plugin Easy Digital Downloads de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado por medio de los parámetros $start_date y $end_date encontrados en el archivo ~/includes/admin/payments/class-payments-table.php que permite a atacantes inyectar scripts web arbitrarios, en versiones hasta la 2.11.2 incluyéndola • https://github.com/BigTiger2020/word-press/blob/main/Easy%20Digital%20Downloads.md https://plugins.trac.wordpress.org/changeset/2616149/easy-digital-downloads/trunk/includes/admin/payments/class-payments-table.php https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39354 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9324 – Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 2.3.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-9324
The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection. El plugin easy-digital-downloads versiones anteriores a 2.3.3 para WordPress, presenta una inyección SQL. The Easy Digital Downloads – Simple Ecommerce for Selling Digital Files WordPress plugin was affected by a SQL Injection security vulnerability. Versions up to, and including, 2.3.2 were affected. • https://wordpress.org/plugins/easy-digital-downloads/#developers https://wpvulndb.com/vulnerabilities/9770 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15116 – Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 2.9.15 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-15116
The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging. El plugin easy-digital-downloads versiones anteriores a 2.9.16 para WordPress, presenta una vulnerabilidad de tipo XSS relacionada con el registro de direcciones IP. • https://wordpress.org/plugins/easy-digital-downloads/#developers https://wpvulndb.com/vulnerabilities/9334 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •