WordPress Plugin Vulnerabilities

Easy Digital Downloads Google Sheet Connector < 1.6.6 - Access Code Update via CSRF

Description

The plugin does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
edd-google-sheet-connector-pro
Fixed in 1.4
Plugin icon
gsheetconnector-easy-digital-downloads
Fixed in 1.6.6

References

CVE
CVE-2023-2334

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
95562684-2bb1-46f0-838c-8501db6b43ed

Timeline

Publicly Published
2023-04-27 (about 2 years ago)
Added
2025-03-02 (about 10 months ago)
Last Updated
2025-03-02 (about 10 months ago)

Other

Published
Title
Published
2024-08-19
Title
Pocket Widget <= 0.1.3 - Admin+ Stored XSS
Published
2024-11-22
Title
PDF Invoices & Packing Slips Generator for WooCommerce < 2.2.2 - Reflected Cross-Site Scripting
Published
2024-10-15
Title
UltraAddons Elementor Lite <= 2.0.2 - Author+ Stored XSS
Published
2022-12-28
Title
OneClick Chat to Order < 1.0.4.2 - Contributor+ Stored XSS via Shortcode
Published
2022-01-12
Title
Quiz And Survey Master < 7.3.7 - Reflected Cross-Site Scripting