Easy Digital Downloads – Simple eCommerce for Selling Digital Files < 3.3.4 – Authenticated (Admin+) PHAR Deserialization | CVE 2022-2439 | Plugin Vulnerabilities

Description

The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'upload[file]' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using a PHAR wrapper, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.

Affects Plugins

easy-digital-downloads

Fixed in 3.3.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/644c8702-08ad-4048-ae91-041f1771f1dc

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Rasoul Jahanshahi

Verified

No

WPVDB ID

4fc3c24a-b93c-473d-8ed2-489fa7f2fed7

Timeline

Publicly Published

2024-09-23 (about 1 year ago)

Added

2024-09-23 (about 1 year ago)

Last Updated

2024-09-24 (about 1 year ago)

Other

Published

Title

Published

2024-04-29

Title

Event Monster < 1.4.0 - Contributor+ PHP Object Injection via Custom Meta

Published

2025-08-21

Title

Portfolio Manager Pro 3.8 - Unauthenticated PHP Object Injection

Published

2026-06-12

Title

JetEngine < 3.8.10.1 - Unauthenticated PHP Object Injection

Published

2024-07-17

Title

Timeline Event History < 3.2 - Authenticated (Contributor+) PHP Object Injection

Published

2024-03-26

Title

BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support & Instant Answer for Elementor & Gutenberg < 3.3.4 - Unauthenticated PHP Object Injection