Easy Digital Downloads < 3.3.3 – Authenticated (Admin+) Arbitrary File Download | CVE 2024-12875 | Plugin Vulnerabilities

Description

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

easy-digital-downloads

Fixed in 3.3.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ec065da7-b8aa-414d-9673-5caf87ad45b5

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Sajjad Ahmad (jack_sparrow)

Verified

No

WPVDB ID

b4ba926c-bf06-4649-a5b1-05544e8f029f

Timeline

Publicly Published

2024-12-20 (about 1 year ago)

Added

2024-12-20 (about 1 year ago)

Last Updated

2025-12-11 (about 6 months ago)

Other

Published

Title

Published

2026-01-06

Title

EmailKit < 1.6.2 - Authenticated (Author+) Arbitrary File Read via Path Traversal

Published

2025-12-20

Title

WPvivid Backup & Migration < 0.9.121 - Admin+ Arbitrary Directory Creation

Published

2023-10-12

Title

Remote Content Shortcode <= 1.5 - Authenticated(Contributor+) Local File Inclusion via shortcode

Published

2026-03-20

Title

Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Read

Published

2022-02-16

Title

Login with phone number < 1.3.7 - Unauthenticated remote plugin deletion