WordPress Plugin Vulnerabilities

Easy Digital Downloads < 3.3.1 - Unauthenticated SQL Injection

Description

The Easy Digital Downloads plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.2.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affects Plugins

Plugin icon
easy-digital-downloads
Fixed in 3.3.1

References

CVE
CVE-2024-5057
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/20fdbe6b-45a8-41f4-8dde-35a0f9ea04a1

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
10 (critical)

Miscellaneous

Original Researcher
akas wisnu aji
Verified
No
WPVDB ID
6195da7f-4da8-4e1a-b3ae-89500ef71712

Timeline

Publicly Published
2024-08-01 (about 1 year ago)
Added
2024-08-07 (about 1 year ago)
Last Updated
2024-08-07 (about 1 year ago)

Other

Published
Title
Published
2022-07-18
Title
WPDating < 7.4.0 - Multiple Unauthenticated SQLi
Published
2015-06-08
Title
Easy2Map < 1.2.5 - SQL Injection
Published
2022-10-03
Title
Anti-Spam by CleanTalk < 5.185.1 - Admin+ SQLi
Published
2025-06-03
Title
Product Filter Pro < 2.9.6 - Unauthenticated SQL Injection
Published
2022-08-08
Title
Leaflet Maps Marker < 3.12.5 - Admin+ SQLi