CVE-2022-2439
published 2024-09-24CVE-2022-2439: The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the…
PriorityP341high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.67%
47.3th percentile
The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'upload[file]' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using a PHAR wrapper, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | < 3.3.4 | 3.3.4 |
| smub | easy_digital_downloads_ecommerce_payments_and_subscriptions_made_easy | <= 3.3.3 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3154854/easy-digital-downloads/tags/3.3.4/includes/admin/import/import-functions.phphttps://plugins.trac.wordpress.org/changeset/3154854/easy-digital-downloads/tags/3.3.4/src/Utils/FileSystem.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/644c8702-08ad-4048-ae91-041f1771f1dc?source=cve
2024-09-24
Published