WordPress Plugin Vulnerabilities

Easy Digital Downloads < 2.11.6 - Arbitrary Payment Note Insertion via CSRF

Description

The plugin does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
easy-digital-downloads
Fixed in 2.11.6

References

CVE
CVE-2022-0707
URL
https://plugins.trac.wordpress.org/changeset/2697388

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
2.4 (low)

Miscellaneous

Original Researcher
muhamad hidayat
Submitter
muhamad hidayat
Submitter website
https://muh-hidayat7799.medium.com/
Submitter twitter
hidesu_ae
Verified
Yes
WPVDB ID
50680797-61e4-4737-898f-e5b394d89117

Timeline

Publicly Published
2022-03-28 (about 3 years ago)
Added
2022-03-28 (about 3 years ago)
Last Updated
2022-04-09 (about 3 years ago)

Other

Published
Title
Published
2025-05-07
Title
EasyMe Connect <= 3.0.3 - Cross-Site Request Forgery
Published
2024-04-23
Title
Slash Admin < 3.8.2 - Cross-Site Request Forgery
Published
2022-06-06
Title
miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting
Published
2016-12-21
Title
copy-me 1.0.0 - Copy Posts Cross-Site Request Forgery (CSRF)
Published
2023-10-16
Title
Snap Pixel < 1.6.0 - Arbitrary Settings Update via CSRF