CVE-2024-9654

Name of the Vulnerable Software and Affected Versions Easy Digital Downloads plugin for WordPress versions 3.1 through 3.3.4

Description The issue arises from a lack of sufficient validation checks within the verify guest email function, allowing unauthenticated attackers to bypass security restrictions and view other users' receipts. These receipts contain links to download paid content. To exploit this, an attacker needs to know another customer's email address and the file ID of the content they purchased.

Recommendations For versions 3.1 through 3.3.4, consider disabling the verify guest email function until a patch is available to prevent unauthorized access to purchase receipts. Restrict access to the receipt generation process to minimize the risk of exploitation. Avoid using the verify guest email function in conjunction with unvalidated user input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.