cbcvebase.
CVE-2023-30869
published 2023-05-02

CVE-2023-30869: Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation. This issue affects Easy Digital Downloads: from 3.1…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.10%
86.1th percentile
Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation. This issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
awesomemotiveeasy_digital_downloads>= 3.1 < 3.1.1.4.23.1.1.4.2
easy_digital_downloadseasy_digital_downloads3.1 – 3.1.1.4.1

Detection & IOCsextracted from sources · hover to see the quote

url/?edd_action=user_reset_password&user_login={{username}}&pass1={{password}}&pass2={{password}}
path/wp-content/plugins/easy-digital-downloads/
cookiewp-resetpass-
url/wp-json/wp/v2/users
url/?rest_route=/wp/v2/users
  • Detect unauthenticated password reset attempts via the EDD plugin by monitoring GET requests to /?edd_action=user_reset_password with pass1 and pass2 parameters present, which should never appear in unauthenticated requests.
  • A successful unauthenticated password reset will result in a 302 redirect response containing a 'wp-resetpass-' cookie in the Set-Cookie header; alert on this pattern from unauthenticated sessions.
  • Exploitation chain involves first enumerating WordPress users via the REST API (/wp-json/wp/v2/users or ?rest_route=/wp/v2/users), then issuing the unauthenticated password reset, then logging in. Correlate these three sequential requests from the same source IP.
  • After password reset, a successful privilege escalation login is confirmed by a 302 response whose Location/Set-Cookie headers contain both 'wordpress_logged_in' and '/wp-admin'; monitor for admin logins immediately following unauthenticated edd_action=user_reset_password requests.
  • Presence of the Easy Digital Downloads plugin can be fingerprinted via the path /wp-content/plugins/easy-digital-downloads/ in HTTP responses; use this to scope detection to vulnerable WordPress instances.
  • ·The vulnerability affects only Easy Digital Downloads versions 3.1 through 3.1.1.4.1; detections should be scoped to this version range to reduce false positives.
  • ·The exploit requires the WordPress REST API user enumeration endpoint to be accessible (unauthenticated); if the REST API is disabled or user enumeration is blocked, the first step of the attack chain will fail.
  • ·The Nuclei template is marked 'intrusive' and performs an actual password reset on the first enumerated user, which is destructive in production environments; do not run against live sites without authorization.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.