WordPress Plugin Vulnerabilities

Easy Digital Downloads < 2.10.3 - Unauthorised Stripe Disconnect via CSRF

Description

The plugin did not property check for CSRF when disconnecting Stripe, allowing attackers to make logged in users with the manage_options capability disconnect the Stripe gateway via a CSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
easy-digital-downloads
Fixed in 2.10.3

References

URL
https://plugins.trac.wordpress.org/changeset/2514681/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
b4100738-fb93-42e8-97db-508a911c092e

Timeline

Publicly Published
2021-04-16 (about 4 years ago)
Added
2021-04-16 (about 4 years ago)
Last Updated
2021-04-16 (about 4 years ago)

Other

Published
Title
Published
2018-05-15
Title
Metronet Tag Manager < 1.2.9 - Cross-Site Request Forgery (CSRF)
Published
2021-08-16
Title
Rucy <= 0.4.4 - Cross-Site Request Forgery
Published
2025-01-16
Title
amr personalise <= 2.10 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-08-25
Title
Post Type Converter <= 0.6 - Cross-Site Request Forgery
Published
2022-01-05
Title
SupportCandy < 2.2.7 - Arbitrary Ticket Deletion via CSRF