As we warned our customers on Friday, the latest version of the WordPress plugin Easy Digital Downloads incompletely fixed a vulnerability. That is something we ran across while preparing to see if another security fix made in it fixed a vulnerability. That same day, Wordfence claimed that the version had fixed what they labeled as an “Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options” vulnerability and described this way:

The Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

What should have been a fairly obvious question when assessing if there really was a vulnerability being addressed, is what access a user with the Shop Manager role has. Upon logging in as a user with that role, we found that they appear to have full control of the plugin’s functionality. What we also found was that could they create new WordPress posts and add JavaScript code to them. They could only do that if they have the unfiltered_html capability, which looking at the plugin’s code they do:

42
43
44
45
46
47

public function add_roles() {
	add_role( 'shop_manager', __( 'Shop Manager', 'easy-digital-downloads' ), array(
		'read'                   => true,
		'edit_posts'             => true,
		'delete_posts'           => true,
		'unfiltered_html'        => true,

The documentation for that capability has these notes:

• Allows user to post HTML markup or even JavaScript code in pages, posts, comments and widgets.
• Note: Enabling this option for untrusted users may result in their posting malicious or poorly formatted code.

If Wordfence thinks that it is a vulnerability for Shop Managers to be able to use unfiltered HTML, the issue hasn’t been solved.

Lacking Information to Check on This

As described that isn’t a vulnerability, but there is still the possibility of a vulnerability or a lesser security issue. Considering that Wordfence doesn’t appear to have done basic due diligence here, it would be important to make sure if there was a security issue, that it was fully addressed. Unfortunately, Wordfence hasn’t provided basic information like how this was supposed to be fixed or how it was supposed to be exploited, to check on that.

There was sanitization added in the file /includes/class-edd-register-meta.php that appears to be related to what they are referencing, but we couldn’t find where it could be exploited. (The changelog appears to be mentioning that as if validation instead of sanitization was done, “Admin: Improved validation of saving some store settings.”)

If it was exploitable, it appears that it would be exploitable by lower-level users. It also seems possible that they confused somewhere else that a Shop Manager is allowed to do the equivalent of that based on the unfilteredd_html capability, with there being an issue there.

WPScan Too

WPScan is claiming this was a vulnerability, though, they somehow are claiming that, while saying they haven’t verified it. How can you say there is a vulnerability, but you have verified that?

Plugin Security Scorecard Grade for WPScan

See issues causing the plugin to get less than A+ grade