First published: Mon Apr 18 2022(Updated: )
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Sandhillsdev Easy Digital Downloads | <2.11.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-0706 is a vulnerability found in the Easy Digital Downloads WordPress plugin before version 2.11.6.
CVE-2022-0706 has a severity level of medium with a severity value of 4.8.
CVE-2022-0706 affects the Easy Digital Downloads plugin by not properly sanitizing and escaping the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting (XSS) attacks.
The potential impact of CVE-2022-0706 is that high privilege users could exploit the vulnerability to perform XSS attacks, gaining unauthorized access or altering the behavior of the affected WordPress site.
To fix CVE-2022-0706, update the Easy Digital Downloads WordPress plugin to version 2.11.6 or newer, which includes the necessary sanitization and escaping of the Downloadable File Name in the Logs.