CVE-2023-30869
published 2023-05-02CVE-2023-30869: Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation. This issue affects Easy Digital Downloads: from 3.1…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.10%
86.1th percentile
Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation. This issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awesomemotive | easy_digital_downloads | >= 3.1 < 3.1.1.4.2 | 3.1.1.4.2 |
| easy_digital_downloads | easy_digital_downloads | 3.1 – 3.1.1.4.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/?edd_action=user_reset_password&user_login={{username}}&pass1={{password}}&pass2={{password}}
path/wp-content/plugins/easy-digital-downloads/
cookiewp-resetpass-
url/wp-json/wp/v2/users
url/?rest_route=/wp/v2/users
- →Detect unauthenticated password reset attempts via the EDD plugin by monitoring GET requests to /?edd_action=user_reset_password with pass1 and pass2 parameters present, which should never appear in unauthenticated requests.
- →A successful unauthenticated password reset will result in a 302 redirect response containing a 'wp-resetpass-' cookie in the Set-Cookie header; alert on this pattern from unauthenticated sessions.
- →Exploitation chain involves first enumerating WordPress users via the REST API (/wp-json/wp/v2/users or ?rest_route=/wp/v2/users), then issuing the unauthenticated password reset, then logging in. Correlate these three sequential requests from the same source IP.
- →After password reset, a successful privilege escalation login is confirmed by a 302 response whose Location/Set-Cookie headers contain both 'wordpress_logged_in' and '/wp-admin'; monitor for admin logins immediately following unauthenticated edd_action=user_reset_password requests.
- →Presence of the Easy Digital Downloads plugin can be fingerprinted via the path /wp-content/plugins/easy-digital-downloads/ in HTTP responses; use this to scope detection to vulnerable WordPress instances.
- ·The vulnerability affects only Easy Digital Downloads versions 3.1 through 3.1.1.4.1; detections should be scoped to this version range to reduce false positives. ↗
- ·The exploit requires the WordPress REST API user enumeration endpoint to be accessible (unauthenticated); if the REST API is disabled or user enumeration is blocked, the first step of the attack chain will fail.
- ·The Nuclei template is marked 'intrusive' and performs an actual password reset on the first enumerated user, which is destructive in production environments; do not run against live sites without authorization.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-49r3-jh88-8r77: Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth
ghsa_unreviewed·2023-07-06
CVE-2023-30869 [CRITICAL] CWE-287 GHSA-49r3-jh88-8r77: Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth
Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation. This issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1.
VulnCheck
awesomemotive easy_digital_downloads Improper Authentication
vulncheck·2023·CVSS 9.8
CVE-2023-30869 [CRITICAL] awesomemotive easy_digital_downloads Improper Authentication
awesomemotive easy_digital_downloads Improper Authentication
Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation. This issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1.
Affected: awesomemotive easy_digital_downloads
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/easy-digital-downloads/easy-digital-downloads-31141-unauthenticated-arbitrary-password-reset-to-privilege-escalation
No detection rules found.
Nuclei
Easy Digital Downloads - Privilege Escalation
nuclei·CVSS 9.8
CVE-2023-30869 [CRITICAL] Easy Digital Downloads - Privilege Escalation
Easy Digital Downloads - Privilege Escalation
Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation. This issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1.
Template:
id: CVE-2023-30869
info:
name: Easy Digital Downloads - Privilege Escalation
author: daffainfo
severity: critical
description: |
Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation. This issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1.
impact: |
Unauthenticated attackers can exploit improper authentication in the password reset functionality to reset any user's password and gain administrative access to WordPress sites using Easy Digital Downloads.
remediation: |
Update Easy Digital D
No writeups or analysis indexed.
https://patchstack.com/articles/critical-easy-digital-downloads-vulnerability?_s_id=cvehttps://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-1-1-4-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cvehttps://patchstack.com/articles/critical-easy-digital-downloads-vulnerability?_s_id=cvehttps://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-1-1-4-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve
2023-05-02
Published
Exploited in the wild