CVE-2022-2387

The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sandhillsdev:easy_digital_downloads:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2022-11-07 10:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-2387

Mitre link : CVE-2022-2387

CVE.ORG link : CVE-2022-2387

JSON object : View

Products Affected

sandhillsdev

easy_digital_downloads

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

4.3 /10