CVE-2024-9654

CVSS V2 None CVSS V3 None

Description

The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased.

Overview

CVE ID
CVE-2024-9654

Assigner
Wordfence

Vulnerability Status
PUBLISHED

Published Version
2024-12-17T11:10:18.973Z

Last Modified Date
2024-12-17T17:29:09.742Z

Weakness Enumerations

CWE	URL
CWE-863	http://cwe.mitre.org/data/definitions/863.html

References

Reference URL	Reference Tags
https://www.wordfence.com/threat-intel/vulnerabilities/id/d3f4de75-abf5-46e8-854d-be91ed74a5f3?source=cve
https://plugins.trac.wordpress.org/changeset/3188001/easy-digital-downloads/trunk/includes/blocks/includes/orders/functions.php?old=2990247&old_path=easy-digital-downloads%2Ftrunk%2Fincludes%2Fblocks%2Fincludes%2Forders%2Ffunctions.php

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-9654
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9654

History

Created	Old Value	New Value	Data Type	Notes
2024-12-18 13:24:46				Added to TrackCVE