What is the severity of CVE-2024-9654?

CVE-2024-9654 has a medium severity rating due to improper authorization resulting from insufficient validation checks.

How do I fix CVE-2024-9654?

To fix CVE-2024-9654, update the Easy Digital Downloads plugin to version 3.3.5 or later.

Which versions of Easy Digital Downloads are affected by CVE-2024-9654?

CVE-2024-9654 affects versions 3.1 through 3.3.4 of the Easy Digital Downloads plugin.

What kind of vulnerability is CVE-2024-9654?

CVE-2024-9654 is classified as an Improper Authorization vulnerability.

What functionality is compromised by CVE-2024-9654?

The functionality compromised by CVE-2024-9654 involves the 'verify_guest_email' function, which fails to validate if the requesting user is the intended recipient.

Vulnerability/
CVE-2024-9654

low

3.7

CWE

863

EPSS

0.046%

17/12/2024

7/2/2025

CVE-2024-9654: Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass

First published: Tue Dec 17 2024(Updated: )

The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased.

Credit: security@wordfence.com

Affected Software	Affected Version	How to fix
Easy Digital Downloads	>=3.1<=3.3.4
Easy Digital Downloads	>=3.1<3.3.5

Remedy

https://plugins.trac.wordpress.org/changeset/3188001/easy-digital-downloads/trunk/includes/blocks/includes/orders/functions.php?old=2990247&old_path=easy-digital-downloads%2Ftrunk%2Fincludes%2Fblocks%2Fincludes%2Forders%2Ffunctions.php

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-9654?
CVE-2024-9654 has a medium severity rating due to improper authorization resulting from insufficient validation checks.
How do I fix CVE-2024-9654?
To fix CVE-2024-9654, update the Easy Digital Downloads plugin to version 3.3.5 or later.
Which versions of Easy Digital Downloads are affected by CVE-2024-9654?
CVE-2024-9654 affects versions 3.1 through 3.3.4 of the Easy Digital Downloads plugin.
What kind of vulnerability is CVE-2024-9654?
CVE-2024-9654 is classified as an Improper Authorization vulnerability.
What functionality is compromised by CVE-2024-9654?
The functionality compromised by CVE-2024-9654 involves the 'verify_guest_email' function, which fails to validate if the requesting user is the intended recipient.

agent/title
agent/weakness
agent/references
agent/type
agent/first-publish-date
agent/description
agent/author
agent/severity
agent/trending
collector/mitre-cve
source/MITRE
collector/epss-latest
source/FIRST
agent/epss
agent/source
agent/guess-ai
agent/software-canonical-lookup
agent/remedy
agent/last-modified-date
agent/softwarecombine
agent/event
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
agent/tags
vendor/easy digital downloads
canonical/easy digital downloads
vendor/awesomemotive
version/easy digital downloads/3.1