Easy Digital Downloads < 3.0 – Arbitrary Post Deletion via CSRF | CVE 2022-2387

Description

The plugin does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=download&page=edd-payment-history&payment%5B0%5D=1&payment%5B1%5D=2&action=delete

Affects Plugins

easy-digital-downloads

Fixed in 3.0

References

CVE

CVE-2022-2387

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

6.5 (medium)

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Submitter twitter

kazet1234

Verified

Yes

WPVDB ID

db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8

Timeline

Publicly Published

2022-10-17 (about 3 years ago)

Added

2022-10-17 (about 3 years ago)

Last Updated

2022-10-17 (about 3 years ago)

Other

Published

Title

Published

2023-11-13

Title

Stop Referrer Spam < 1.3.1 - CSRF

Published

2025-02-27

Title

Wp Social Login and Register Social Counter < 3.1.1 - Cross-Site Request Forgery to Settings Update

Published

2022-03-08

Title

Analytics Cat < 1.1.0 - Settings Update via CSRF

Published

2023-10-26

Title

Auto Limit Posts Reloaded <= 2.5 - Cross-Site Request Forgery

Published

2025-05-07

Title

Pays – WooCommerce Payment Gateway < 2.7 - Cross-Site Request Forgery