CVE-2024-6691
📋 TL;DR
This stored XSS vulnerability in the Easy Digital Downloads WordPress plugin allows authenticated administrators to inject malicious scripts that execute when users view affected pages. Only WordPress multi-site installations and sites with unfiltered_html disabled are vulnerable. Attackers can steal session cookies, redirect users, or deface websites.
💻 Affected Systems
- Easy Digital Downloads WordPress plugin
📦 What is this software?
Easy Digital Downloads by Awesomemotive
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full site takeover, data theft, malware distribution to visitors, and persistent backdoor installation.
Likely Case
Session hijacking of other administrators, website defacement, or credential theft from users viewing injected pages.
If Mitigated
Limited impact due to requiring administrator access and specific WordPress configurations; primarily affects multi-site installations.
🎯 Exploit Status
Requires administrator-level access to WordPress dashboard. Exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.3
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3131805/easy-digital-downloads/tags/3.3.3/src/Admin/Settings/Sanitize.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Easy Digital Downloads. 4. Click 'Update Now' if available, or manually update to version 3.3.3+. 5. Clear any caching plugins/CDN caches.
🔧 Temporary Workarounds
Enable unfiltered_html for administrators
allEnable the unfiltered_html capability for administrator roles to prevent exploitation (though this reduces security controls).
Temporarily disable plugin
allDisable the Easy Digital Downloads plugin until patching is possible (will break e-commerce functionality).
🧯 If You Can't Patch
- Restrict administrator accounts to trusted personnel only and implement multi-factor authentication.
- Implement a Web Application Firewall (WAF) with XSS protection rules and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Easy Digital Downloads → Version. If version is 3.3.2 or lower, you are vulnerable if using multi-site or unfiltered_html is disabled.Check Version:
wp plugin list --name=easy-digital-downloads --field=version (WP-CLI) or check WordPress admin interface.Verify Fix Applied:
Confirm plugin version is 3.3.3 or higher in WordPress admin panel. Test currency field input with basic XSS payloads to ensure sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator activity modifying currency settings
- POST requests to wp-admin/admin.php?page=edd-settings with script tags in parameters
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected JavaScript execution on store pages
SIEM Query:
source="wordpress.log" AND "edd-settings" AND ("<script" OR "javascript:")