CVE-2024-9654
Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall BypassThe Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased.
We have discovered 1,675 live websites that are affected by CVE-2024-9654.
Affected Software
| Product | |
| Category | Ecommerce |
| Vulnerable Domains | 1,675 live websites (12% of Easy Digital Downloads install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 34 versions ( 23% of all versions) |
Common Weakness Enumeration
CWE-863 Incorrect AuthorizationDetails
- Published - Dec 17, 2024
- Updated - Dec 17, 2024
Credits
- Arkadiusz Hydzik (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-9654 United States | 670 websites |
 Germany | 154 websites |
 Iran | 131 websites |
 GB | 85 websites |
 France | 73 websites |
 Italy | 68 websites |
 Cyprus | 38 websites |
 Canada | 34 websites |
 Spain | 34 websites |
Website Distribution by TLD
Number of websites using CVE-2024-9654| .com | 941 websites |
| .org | 85 websites |
| .net | 53 websites |
| .it | 49 websites |
| .co.uk | 43 websites |
| .de | 35 websites |
| .fr | 23 websites |
| .pl | 16 websites |
| .ca | 14 websites |
| .eu | 14 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-9654
Top websites that are affected by CVE-2024-9654. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *************.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| **********.com |  Australia | **,*** | |
| ************.com | United States | **,*** | |
| *************.com | United States | **,*** | |
| ************.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| **************.com | United States | **,*** | |
| ******.com | United States | **,*** | |
| *********.com | United States | **,*** |
FAQ
CVE-2024-9654 is Incorrect Authorization in Easy Digital Downloads
A total of 1,675 websites have been identified as vulnerable to CVE-2024-9654, based on global website indexing conducted by WebTechSurvey.
The Easy Digital Downloads is affected by the CVE-2024-9654 vulnerability.
Easy Digital Downloads versions up to and including 3.3.4 are vulnerable to CVE-2024-9654.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d3f4de75-abf5-46e8-854d-be91ed74a5f3?source=cve
- https://plugins.trac.wordpress.org/changeset/3188001/easy-digital-downloads/trunk/includes/blocks/includes/orders/functions.php?old=2990247&old_path=easy-digital-downloads%2Ftrunk%2Fincludes%2Fblocks%2Fincludes%2Forders%2Ffunctions.php