WordPress Plugin Vulnerabilities

Easy Digital Downloads < 3.2.6 - Contributor+ Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
easy-digital-downloads
Fixed in 3.2.6

References

CVE
CVE-2023-51684
URL
https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-5-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
0b9bfaf6-7468-43f6-a692-7c9e20ddf354

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-05 (about 2 years ago)

Other

Published
Title
Published
2025-01-16
Title
FP RSS Category Excluder <= 1.0.0 - Reflected Cross-Site Scripting
Published
2024-10-29
Title
HT Team Member < 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via htteamember Shortcode
Published
2025-03-27
Title
Off-Canvas Sidebars & Menus (Slidebars) < 0.5.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-04-13
Title
FooGallery < 2.2.41 - Reflected XSS
Published
2022-03-15
Title
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via keyword