Login

Tag Archives: Easy Digital Downloads

2 Feb 2024

Cross-Site Request Forgery (CSRF) Vulnerability in Easy Digital Downloads

The changelog for the latest version of Easy Digital Downloads has a couple of entries that suggest that security changes have been made to the plugin. In looking over the changes that were made, we found an undisclosed minor vulnerability fix happening. As the relevant code was being moved and reformatted, it seems possible that this wasn’t addressed as a vulnerability fix, so it wasn’t mentioned in the changelog. Or it was being hidden (that happens, unfortunately). The vulnerability involved cross-site request forgery (CSRF) and we found an additional instance of it in similar code that still exists in the plugin. We have notified the developer of that and offered to help them fix it.

[Read more]

3 May 2023

Awesome Motive’s Easy Digital Downloads is Still Lacking Basic Security Despite Contrary Claim by Patchstack

Most days we see what appears to be a hacker probing for the usage of a single WordPress plugin with a recently disclosed vulnerability through a single request for a file on each of our websites. Yesterday, we saw them doubling up both on the files they were requesting and the IP addresses being used. The plugin they were looking for was Easy Digital Downloads. It wasn’t hard to guess why, as Patchstack had disclosed how to exploit a serious vulnerability that had been fixed the day before. While reviewing this, we found that there are still security issues that run counter to a central claim made by Patchstack.

Before we get to that, it’s important to note who the developer of the plugin is. That is Awesome Motive. That would be the Awesome Motive that has a chief security officer (CSO) who is also the “security reviewer” on the team running the WordPress Plugin Directory. That would be the Awesome Motive that took two months to fix a publicly known vulnerability in a plugin with 3+ millions installs. They frequently acquire existing WordPress plugins, which is how they came to be the developer of this plugin. The vulnerability that was fixed was introduced six months after they had acquired the plugin. [Read more]

3 Oct 2019

Vulnerability Details: Information Disclosure in Easy Digital Downloads

The changelog for the latest version of Easy Digital Downloads is “Security Fix: Prevent an authentication bypass to the EDD REST API when no API keys exist.” That sounded like a vulnerability recently fixed in another plugin and as it turned that is because they shared the same code. Looking at the changes made in that version confirmed that the issue was due to what Wordfence had found to be at issue with the plugin Give (GiveWP) recently, which is that you could access the API without needed to have a valid API key as intended. In Easy Digital Downloads that “provides easy access to sales and product information in either jSON or XML format”.

[Read more]

1 Aug 2017

What Happened With WordPress Plugin Vulnerabilities in July 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during July (and what you have been missing out on if you haven’t signed up yet): [Read more]

31 Mar 2017

Information Disclosure Vulnerability in Easy Digital Downloads

One of the features of our service is that our customers get to suggest and vote for plugins to get a security review done by us. Last month we did a review of the plugin Easy Digital Downloads and one of the issues we found through that was an information disclosure vulnerability.

The function edd_ajax_get_download_title in the file /includes/ajax-functions.php is accessible via AJAX by those logged in and out, despite stating that it is “used only in WordPress Admin”. The function is intended to return the title of the plugin’s downloads, but as can be seen below it lacks any restriction as to what it will return the tile of: [Read more]

31 Mar 2017

WordPress Plugin Security Review: Easy Digital Downloads

For our fifth security review of a plugin based on the voting of our customers, we reviewed the plugin Easy Digital Downloads.

If you are not yet a customer of the service you can currently try it free for your first month and then start suggesting and voting on plugins to get security reviews after your first payment for the service. For those already using the service that haven’t already suggested and voted for plugins you can start doing that here. [Read more]