CVE-2023-23489

Name of the Vulnerable Software and Affected Versions Easy Digital Downloads versions 3.1.0.2 through 3.1.0.3 Easy Digital Downloads versions prior to 3.1.0.4

Description The issue is related to an unauthenticated SQL injection vulnerability in the edd download search action, specifically in the s parameter. This vulnerability can be exploited by a remote attacker to execute arbitrary SQL queries. The vulnerability is associated with the edd ajax download search() function in the ./includes/ajax-functions.php file of the Easy Digital Downloads plugin for WordPress.

Recommendations For versions 3.1.0.2 and 3.1.0.3, update to version 3.1.0.4 or later to resolve the issue. For versions prior to 3.1.0.4, update to version 3.1.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the edd download search action to minimize the risk of exploitation. Avoid using the s parameter in the affected API endpoint until the issue is resolved.