CVE-2024-13517

Name of the Vulnerable Software and Affected Versions Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress versions up to and including 3.3.2

Description The issue is related to Stored Cross-Site Scripting via the Title value due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue affects multi-site installations and installations where unfiltered html has been disabled.

Recommendations For versions up to and including 3.3.2, update to a version later than 3.3.2 to resolve the issue. As a temporary workaround, consider restricting access to the Title value input field to minimize the risk of exploitation. Restrict access to pages that may contain injected scripts to prevent execution.