Premium Packages – Sell Digital Products Securely < 5.9.4 – Reflected Cross-Site Scripting via add_query_arg | CVE 2024-11225 | Plugin Vulnerabilities

Description

The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.9.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

wpdm-premium-packages

Fixed in 5.9.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e847fd-0932-4d65-a201-b86e39a33588

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Peter Thaleikis

Verified

No

WPVDB ID

bb9cf158-b9a7-45e0-8155-25c68f47e7f6

Timeline

Publicly Published

2024-11-21 (about 1 year ago)

Added

2024-11-21 (about 1 year ago)

Last Updated

2024-11-25 (about 1 year ago)

Other

Published

Title

Published

2024-03-29

Title

Mighty Classic Pros And Cons <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-02

Title

Lexicata <= 1.0.16 - Reflected Cross-Site Scripting

Published

2021-07-05

Title

Calendar Event Multi View < 1.4.01 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2024-07-19

Title

Gutenverse < 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-16

Title

XTRA Settings <= 2.1.8 - Reflected Cross-Site Scripting