Easy Digital Downloads < 2.11.6 – Admin+ Stored Cross-Site Scripting | CVE 2022-0706 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

Proof of Concept

Create/edit a Download and put the following payload in the File Name field: <img src=x:x onerror=alert(/XSS/)>
Download the file via the frontend (as unauthenticated for example)
The XSS will be triggered when viewing the Reports > Logs Page (/wp-admin/edit.php?post_type=download&page=edd-reports&tab=logs)

Affects Plugins

easy-digital-downloads

Fixed in 2.11.6

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2697388

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

muhamad hidayat

Submitter

muhamad hidayat

Submitter website

https://muh-hidayat7799.medium.com/

Submitter twitter

Verified

Yes

WPVDB ID

598d5c1b-7930-46a6-9a31-5e08a5f14907

Timeline

Publicly Published

2022-03-28 (about 2 years ago)

Added

2022-03-28 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2015-04-20

Title

Gravity Forms <= 1.9.6 - Cross-Site Scripting (XSS)

Published

2023-12-18

Title

Simple Membership < 4.3.9 - Reflected Cross-Site Scripting Vulnerability via environment_mode

Published

2021-09-09

Title

WordPress InviteBox Plugin <= 1.4.1 - Reflected Cross-Site Scripting

Published

2023-02-15

Title

Eyes Only: User Access Shortcode <= 1.8.2 - Admin+ Stored XSS

Published

2023-09-27

Title

RSVPMarker < 10.6.7 - Admin+ Stored XSS