WordPress Plugin Vulnerabilities

Easy Digital Downloads < 3.0.2 - Admin+ PHP Object Injection

Description

The plugin does not validate user input before unserialising it, which could allow high privilege users to perform PHP Objection injection attacks

Affects Plugins

Plugin icon
easy-digital-downloads
Fixed in 3.0.2

References

CVE
CVE-2022-33900

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Robert Rowley
Verified
No
WPVDB ID
76861f59-bd45-4c27-96bf-3ddf96456059

Timeline

Publicly Published
2022-08-10 (about 3 years ago)
Added
2022-08-22 (about 3 years ago)
Last Updated
2023-05-12 (about 3 years ago)

Other

Published
Title
Published
2025-04-21
Title
Grand Restaurant WordPress <= 7.0 - Unauthenticated PHP Object Injection
Published
2025-07-01
Title
WooCommerce Product Multi-Action <= 1.3 - Unauthenticated PHP Object Injection
Published
2022-08-08
Title
String Locator < 2.6.0 - Authenticated PHAR Deserialization
Published
2025-02-23
Title
Events Calendar for GeoDirectory < 2.3.15 - Authenticated (Contributor+) PHP Object Injection
Published
2025-12-11
Title
Visitor Logic Lite <= 1.0.3 - Unauthenticated PHP Object Injection via 'lpblocks' Cookie