Easy Digital Downloads < 2.11.6 – Admin+ Stored Cross-Site Scripting | CVE 2022-0706 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

Proof of Concept

Create/edit a Download and put the following payload in the File Name field: <img src=x:x onerror=alert(/XSS/)>
Download the file via the frontend (as unauthenticated for example)
The XSS will be triggered when viewing the Reports > Logs Page (/wp-admin/edit.php?post_type=download&page=edd-reports&tab=logs)

Affects Plugins

easy-digital-downloads

Fixed in 2.11.6

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2697388

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

muhamad hidayat

Submitter

muhamad hidayat

Submitter website

https://muh-hidayat7799.medium.com/

Submitter twitter

Verified

Yes

WPVDB ID

598d5c1b-7930-46a6-9a31-5e08a5f14907

Timeline

Publicly Published

2022-03-28 (about 3 years ago)

Added

2022-03-28 (about 3 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2024-03-25

Title

Photo Gallery by Supsystic < 1.15.17 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2021-07-15

Title

Form Maker < 1.13.60 - Authenticated Stored XSS

Published

2024-03-16

Title

WooCommerce License Manager < 5.3.2 - Reflected Cross-Site Scripting

Published

2022-10-29

Title

Evaluate <= 1.0 - Admin+ Stored Cross-Site Scripting

Published

2025-01-07

Title

Scan External Links <= 1.0 - Reflected Cross-Site Scripting