Search criteria
6 vulnerabilities found for Easy Digital Downloads – Simple eCommerce for Selling Digital Files by Unknown
CVE-2022-2387 (GCVE-0-2022-2387)
Vulnerability from cvelistv5 – Published: 2022-11-07 00:00 – Updated: 2025-05-05 20:26
VLAI?
Title
Easy Digital Downloads < 3.0 - Arbitrary Post Deletion via CSRF
Summary
The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Affected:
3.0 , < 3.0
(custom)
|
Credits
Krzysztof Zając
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:06.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2387",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T20:26:18.816586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T20:26:52.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0",
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-07T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 3.0 - Arbitrary Post Deletion via CSRF",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2387",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-07-12T00:00:00.000Z",
"dateUpdated": "2025-05-05T20:26:52.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0707 (GCVE-0-2022-0707)
Vulnerability from cvelistv5 – Published: 2022-04-18 17:10 – Updated: 2024-08-02 23:40
VLAI?
Title
Easy Digital Downloads < 2.11.6 - Arbitrary Payment Note Insertion via CSRF
Summary
The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Affected:
2.11.6 , < 2.11.6
(custom)
|
Credits
muhamad hidayat
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.425Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.6",
"status": "affected",
"version": "2.11.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "muhamad hidayat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T17:10:31",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 2.11.6 - Arbitrary Payment Note Insertion via CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0707",
"STATE": "PUBLIC",
"TITLE": "Easy Digital Downloads \u003c 2.11.6 - Arbitrary Payment Note Insertion via CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.11.6",
"version_value": "2.11.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "muhamad hidayat"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://plugins.trac.wordpress.org/changeset/2697388",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"name": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0707",
"datePublished": "2022-04-18T17:10:31",
"dateReserved": "2022-02-21T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0706 (GCVE-0-2022-0706)
Vulnerability from cvelistv5 – Published: 2022-04-18 17:10 – Updated: 2024-08-02 23:40
VLAI?
Title
Easy Digital Downloads < 2.11.6 - Admin+ Stored Cross-Site Scripting
Summary
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Affected:
2.11.6 , < 2.11.6
(custom)
|
Credits
muhamad hidayat
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.6",
"status": "affected",
"version": "2.11.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "muhamad hidayat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T17:10:29",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 2.11.6 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0706",
"STATE": "PUBLIC",
"TITLE": "Easy Digital Downloads \u003c 2.11.6 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.11.6",
"version_value": "2.11.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "muhamad hidayat"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2697388",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0706",
"datePublished": "2022-04-18T17:10:29",
"dateReserved": "2022-02-21T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2387 (GCVE-0-2022-2387)
Vulnerability from nvd – Published: 2022-11-07 00:00 – Updated: 2025-05-05 20:26
VLAI?
Title
Easy Digital Downloads < 3.0 - Arbitrary Post Deletion via CSRF
Summary
The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Affected:
3.0 , < 3.0
(custom)
|
Credits
Krzysztof Zając
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:06.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2387",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T20:26:18.816586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T20:26:52.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0",
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-07T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 3.0 - Arbitrary Post Deletion via CSRF",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2387",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-07-12T00:00:00.000Z",
"dateUpdated": "2025-05-05T20:26:52.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0707 (GCVE-0-2022-0707)
Vulnerability from nvd – Published: 2022-04-18 17:10 – Updated: 2024-08-02 23:40
VLAI?
Title
Easy Digital Downloads < 2.11.6 - Arbitrary Payment Note Insertion via CSRF
Summary
The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Affected:
2.11.6 , < 2.11.6
(custom)
|
Credits
muhamad hidayat
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.425Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.6",
"status": "affected",
"version": "2.11.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "muhamad hidayat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T17:10:31",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 2.11.6 - Arbitrary Payment Note Insertion via CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0707",
"STATE": "PUBLIC",
"TITLE": "Easy Digital Downloads \u003c 2.11.6 - Arbitrary Payment Note Insertion via CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.11.6",
"version_value": "2.11.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "muhamad hidayat"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://plugins.trac.wordpress.org/changeset/2697388",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
},
{
"name": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/50680797-61e4-4737-898f-e5b394d89117"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0707",
"datePublished": "2022-04-18T17:10:31",
"dateReserved": "2022-02-21T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0706 (GCVE-0-2022-0706)
Vulnerability from nvd – Published: 2022-04-18 17:10 – Updated: 2024-08-02 23:40
VLAI?
Title
Easy Digital Downloads < 2.11.6 - Admin+ Stored Cross-Site Scripting
Summary
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Easy Digital Downloads – Simple eCommerce for Selling Digital Files |
Affected:
2.11.6 , < 2.11.6
(custom)
|
Credits
muhamad hidayat
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.6",
"status": "affected",
"version": "2.11.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "muhamad hidayat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T17:10:29",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Easy Digital Downloads \u003c 2.11.6 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0706",
"STATE": "PUBLIC",
"TITLE": "Easy Digital Downloads \u003c 2.11.6 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.11.6",
"version_value": "2.11.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "muhamad hidayat"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/598d5c1b-7930-46a6-9a31-5e08a5f14907"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2697388",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2697388"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0706",
"datePublished": "2022-04-18T17:10:29",
"dateReserved": "2022-02-21T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}