For our fifth security review of a plugin based on the voting of our customers, we reviewed the plugin Easy Digital Downloads.
If you are not yet a customer of the service you can currently try it free for your first month and then start suggesting and voting on plugins to get security reviews after your first payment for the service. For those already using the service that haven’t already suggested and voted for plugins you can start doing that here.
The review was done on version 2.7.4 of Easy Digital Downloads. We checked for the following issues:
- Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
- Deserialization of untrusted data
- Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
- Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
- Cross-site request forgery (CSRF) vulnerabilities in the admin portion of plugins
SQL injection vulnerabilities (the code that handles requests to the database)
Reflected cross-site scripting (XSS) vulnerabilities
Lack of protection against unintended direct access of PHP files
We found several issues detailed below.
We notified the developer of the issues on February 27. The developer responded, but didn’t seem to have the best grasp of their own code when it came to one of the issues. Subsequent to that, two new versions of the plugin have been released, but no changes have been made related to the issues so far.
Information Disclosure Vulnerability
The function edd_ajax_get_download_title in the file /includes/ajax-functions.php is accessible via AJAX by those logged in and out, despite stating that it is “used only in WordPress Admin”. The function’s code will return the title for any post (not just downloads), so there is the possibility that the title of unpublished posts, private posts, or other private content stored in a post could be exposed through that. It looks like that function isn’t actually used anymore, at least we couldn’t find where it was used in the plugin.
Lack of web.config File
The plugin restricts access to files in the directory where uploaded files that are used by the plugin are stored, /wp-content/uploads/edd/, using a .htaccess file. WordPress is supported officially supported on the IIS web server, so generating a web.config file to provide the same functionality as the .htaccess file created on Apache servers by the plugin, could provide additional security.
Lack of Protection Against Direct Access to Files
While many of the plugin’s .php files have code at the beginning of the files to restrict direct access to them, others do not. For example, the files in the /templates/ directory do not. We didn’t see anything that could be exploited in the files without the restriction in place.