This security advisory is written about a critical Easy Digital Downloads vulnerability originally discovered by Nguyen Anh Tien and reported to us through our bug bounty program. Patchstack users have received a virtual patch to protect their site against this vulnerability.
Patchstack Pro and Business users are protected from the vulnerability in Easy Digital Downloads. You can also sign up for the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.
For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.
The Easy Digital Downloads plugin is described as a plugin that gives you unlimited products with no hidden listing fees, unlimited products, unlimited transactions and provides unlimited possibilities.
On April 21st, 2023, Nguyen Anh Tien reported a critical vulnerability to us that exists in the Easy Digital Downloads plugin versions 22.214.171.124.1 and below. This vulnerability makes it possible for any user, regardless of their current authentication and authorization, to execute any action registered with the prefix edd_.
This prefix is also present in one of the methods that performs a password reset which means it’s possible to reset the password of any user as long as you know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user.
This issue occurs because we are able to call any action registered with the edd_ prefix. The patch can be seen here. This shows that the function can no longer be called directly and includes additional validation to make sure that the password reset key is present and legitimate.
21-04-2023 – Vulnerability was reported to us by Nguyen Anh Tien.
21-04–2023 – We reached out to the developer of the plugin.
01-05–2023 – Version 126.96.36.199.2 was published to patch the reported issues.
01-05-2023 – Added the vulnerabilities to the Patchstack vulnerability database.
02-05-2023 – Published the article as the vulnerability became public knowledge.
Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.