This security advisory is written about a critical Easy Digital Downloads vulnerability originally discovered by Nguyen Anh Tien and reported to us through our bug bounty program. Patchstack users have received a vPatch to protect their site against this vulnerability.
Patchstack Pro and Business users are protected from the vulnerability in Easy Digital Downloads. You can also sign up for the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.
For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.
About the Easy Digital Downloads plugin
The Easy Digital Downloads plugin is described as a plugin that gives you unlimited products with no hidden listing fees, unlimited products, unlimited transactions and provides unlimited possibilities.
Easy Digital Downloads vulnerability information
On April 21st, 2023, Nguyen Anh Tien reported a critical vulnerability to us that exists in the Easy Digital Downloads plugin versions 3.1.1.4.1 and below. This vulnerability makes it possible for any user, regardless of their current authentication and authorization, to execute any action registered with the prefix edd_.
This prefix is also present in one of the methods that performs a password reset which means it's possible to reset the password of any user as long as you know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user.
The patch in the Easy Digital Downloads plugin
This issue occurs because we are able to call any action registered with the edd_ prefix. The patch can be seen here. This shows that the function can no longer be called directly and includes additional validation to make sure that the password reset key is present and legitimate.
Disclosure timeline
21-04-2023 - Vulnerability was reported to us by Nguyen Anh Tien.
21-04-2023 - We reached out to the developer of the plugin.
01-05-2023 - Version 3.1.1.4.2 was published to patch the reported issues.
01-05-2023 - Added the vulnerabilities to the Patchstack vulnerability database.
02-05-2023 - Published the article as the vulnerability became public knowledge.
Help us make the web a safer place
Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.
- If you're a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
- If you're a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.
