CVE-2022-2439
HIGHAwesomemotive Easy Digital Downloads - Insecure Deserialization
Title source: ruleDescription
The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'upload[file]' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using a PHAR wrapper, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.
References (3)
Scores
CVSS v3
7.2
EPSS
0.0104
EPSS Percentile
77.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-502
Status
published
Affected Products (1)
awesomemotive/easy_digital_downloads
< 3.3.4
Timeline
Published
Sep 24, 2024
Tracked Since
Feb 18, 2026