What is the severity of CVE-2024-13517?

CVE-2024-13517 is classified as a Stored Cross-Site Scripting vulnerability impacting Easy Digital Downloads versions up to 3.3.2.

How do I fix CVE-2024-13517?

To remediate CVE-2024-13517, update Easy Digital Downloads to version 3.3.3 or later where the vulnerability is resolved.

Which versions of Easy Digital Downloads are affected by CVE-2024-13517?

CVE-2024-13517 affects all versions of Easy Digital Downloads up to and including 3.3.2.

What type of vulnerability is CVE-2024-13517?

CVE-2024-13517 is a Stored Cross-Site Scripting vulnerability due to insufficient input sanitization and output escaping.

What could an attacker achieve by exploiting CVE-2024-13517?

An attacker could potentially execute malicious scripts in the context of a user's browser session, leading to unauthorized actions and data exposure.

Vulnerability/
CVE-2024-13517

medium

4.4

CWE

18/1/2025

7/2/2025

CVE-2024-13517: Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) <= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Title

First published: Sat Jan 18 2025(Updated: )

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Credit: security@wordfence.com

Affected Software	Affected Version	How to fix
Easy Digital Downloads	<3.3.3
Easy Digital Downloads eCommerce Payments and Subscriptions	<=3.3.2

Remedy

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3131805%40easy-digital-downloads&new=3131805%40easy-digital-downloads&sfp_email=&sfph_mail=

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-13517?
CVE-2024-13517 is classified as a Stored Cross-Site Scripting vulnerability impacting Easy Digital Downloads versions up to 3.3.2.
How do I fix CVE-2024-13517?
To remediate CVE-2024-13517, update Easy Digital Downloads to version 3.3.3 or later where the vulnerability is resolved.
Which versions of Easy Digital Downloads are affected by CVE-2024-13517?
CVE-2024-13517 affects all versions of Easy Digital Downloads up to and including 3.3.2.
What type of vulnerability is CVE-2024-13517?
CVE-2024-13517 is a Stored Cross-Site Scripting vulnerability due to insufficient input sanitization and output escaping.
What could an attacker achieve by exploiting CVE-2024-13517?
An attacker could potentially execute malicious scripts in the context of a user's browser session, leading to unauthorized actions and data exposure.

agent/references
agent/author
agent/description
agent/type
agent/first-publish-date
agent/title
agent/weakness
agent/source
collector/mitre-cve
source/MITRE
agent/remedy
agent/last-modified-date
agent/severity
agent/softwarecombine
agent/event
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/guess-ai
agent/tags
vendor/awesomemotive
canonical/easy digital downloads
vendor/easy digital downloads
canonical/easy digital downloads ecommerce payments and subscriptions