Easy Digital Downloads <= 2.11.5 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability

Administrator

Published
2022-03-27

The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

CVE

https://www.cve.org/CVERecord?id=CVE-2022-0706

CVSS

Score:4.8

Severity:Medium

Version: 2.11.5

There is a patch available in v2.11.6 and we strongly recommend you update to this version as soon as possible.