CVE Vulnerability

CVE-2021-39354

The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2.

3.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

4.8 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://plugins.trac.wordpress.org/changeset/2616149/easy-digital-downloads/trunk/includes/admin/payments/class-payments-table.php Patch Third Party Advisory
https://github.com/BigTiger2020/word-press/blob/main/Easy%20Digital%20Downloads.md Exploit Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39354 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:sandhillsdev:easy_digital_downloads:*:*:*:*:*:wordpress:*:*
Information

Published : 2021-10-21 08:15

Updated : 2021-10-27 10:29

NVD link : CVE-2021-39354

Mitre link : CVE-2021-39354

Products Affected

Easy Digital Downloads

Sandhillsdev

CWE
CWE-79