CVE-2024-6691
Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) <= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Currency SettingsThe Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
We have discovered 7,312 live websites that are affected by CVE-2024-6691.
Affected Software
| Product | |
| Category | Ecommerce |
| Vulnerable Domains | 7,312 live websites (43.87% of Easy Digital Downloads install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 158 versions ( 95.18% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Aug 10, 2024
- Updated - Aug 12, 2024
Credits
- Jonas Benjamin Friedli (finder)
CWE
CVE References
CWE References
CVE-2024-6691 usage by Country
 United States | 3,393 websites |
 Germany | 719 websites |
 Iran | 501 websites |
 France | 355 websites |
 GB | 328 websites |
 Japan | 170 websites |
 Cyprus | 149 websites |
 Italy | 142 websites |
 Poland | 139 websites |
 Canada | 105 websites |
CVE-2024-6691 usage by TLD
| .com | 4,153 websites |
| .org | 363 websites |
| .net | 260 websites |
| .de | 184 websites |
| .co.uk | 179 websites |
| .pl | 119 websites |
| .it | 115 websites |
| .fr | 90 websites |
| .com.au | 90 websites |
| .ru | 71 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-6691
Top websites that are affected by CVE-2024-6691. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | United States | *,*** | |
| ***************.eu |  Netherlands | *,*** | |
| **********.com | United States | *,*** | |
| ************.com | United States | *,*** | |
| *************.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| ******.*********.com | United States | *,*** | |
| *************.com | United States | *,*** | |
| **************.net | United States | **,*** |
FAQ
CVE-2024-6691 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Easy Digital Downloads
A total of 7,312 websites have been identified as vulnerable to CVE-2024-6691, discovered through global website indexing conducted by WebTechSurvey.
Easy Digital Downloads is susceptible to CVE-2024-6691 vulnerability.
Easy Digital Downloads versions before, and including, 3.3.2 are vulnerable to CVE-2024-6691.