WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Easy Digital Downloads < 2.10.3 - Unauthorised Stripe Disconnect via CSRF

Description

The plugin did not property check for CSRF when disconnecting Stripe, allowing attackers to make logged in users with the manage_options capability disconnect the Stripe gateway via a CSRF attack.

Proof of Concept

https://example.com/wp-admin/admin-post.php?page=edd-settings&edds-stripe-disconnect=1

Affects Plugins

easy-digital-downloads
Fixed in version 2.10.3

References

URL
https://plugins.trac.wordpress.org/changeset/2514681/

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID
b4100738-fb93-42e8-97db-508a911c092e

Timeline

Publicly Published

2021-04-16 (about 1 years ago)

Added

2021-04-16 (about 1 years ago)

Last Updated

2021-04-16 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin