Easy Digital Downloads <=3.3.3 Authenticated PHAR Deserialization (CVE-2022-2439)

From this webpage screenshot, the following key vulnerability information can be obtained: 1. **Plugin Name**: Easy Digital Downloads - Simple eCommerce for Selling Digital Files <= 3.3.3 - Authenticated (Admin+) PHAR Deserialization 2. **Version**: <= 3.3.3 3. **Severity**: CVSS 7.2 (High) 4. **Public Release Date**: September 23, 2024 5. **Update Date**: September 24, 2024 6. **Researcher**: Rasoul Jahanshahi 7. **Vulnerability Description**: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 8. **Remediation Recommendation**: Upgrade to version 3.3.4 or higher. 9. **Affected Versions**: <= 3.3.3 10. **Fixed Version**: 3.3.4 11. **CVE ID**: CVE-2022-2439 12. **CVSS Score**: 7.2 (High) 13. **Public Release Date**: September 23, 2024 14. **Update Date**: September 24, 2024 15. **Researcher**: Rasoul Jahanshahi 16. **Vulnerability Description**: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 17. **Remediation Recommendation**: Upgrade to version 3.3.4 or higher. 18. **Affected Versions**: <= 3.3.3 19. **Fixed Version**: 3.3.4 20. **CVE ID**: CVE-2022-2439 21. **CVSS Score**: 7.2 (High) 22. **Public Release Date**: September 23, 2024 23. **Update Date**: September 24, 2024 24. **Researcher**: Rasoul Jahanshahi 25. **Vulnerability Description**: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 26. **Remediation Recommendation**: Upgrade to version 3.3.4 or higher. 27. **Affected Versions**: <= 3.3.3 28. **Fixed Version**: 3.3.4 29. **CVE ID**: CVE-2022-2439 30. **CVSS Score**: 7.2 (High) 31. **Public Release Date**: September 23, 2024 32. **Update Date**: September 24, 2024 33. **Researcher**: Rasoul Jahanshahi 34. **Vulnerability Description**: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 35. **Remediation Recommendation**: Upgrade to version 3.3.4 or higher. 36. **Affected Versions**: <= 3.3.3 37. **Fixed Version**: 3.3.4 38. **CVE ID**: CVE-2022-2439 39. **CVSS Score**: 7.2 (High) 40. **Public Release Date**: September 23, 2024 41. **Update Date**: September 24, 2024 42. **Researcher**: Rasoul Jahanshahi 43. **Vulnerability Description**: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 44. **Remediation Recommendation**: Upgrade to version 3.3.4 or higher. 45. **Affected Versions**: <= 3.3.3 46. **Fixed Version**: 3.3.4 47. **CVE ID**: CVE-2022-2439 48. **CVSS Score**: 7.2 (High) 49. **Public Release Date**: September 23, 2024 50. **Update Date**: September 24, 2024 51. **Researcher**: Rasoul Jahanshahi 52. **Vulnerability Description**: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 53. **Remediation Recommendation**: Upgrade to version 3.3.4 or higher. 54. **Affected Versions**: <= 3.3.3 55. **Fixed Version**: 3.3.4 56. **CVE ID**: CVE-2022-2439 57. **CVSS Score**: 7.2 (High) 58. **Public Release Date**: September 23, 2024 59. **Update Date**: September 24, 2024 60. **Researcher**: Rasoul Jahanshahi 61. **Vulnerability Description**: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 62. **Remediation Recommendation**: Upgrade to version 3.3.4 or higher. 63. **Affected Versions**: <= 3.3.3 64. **Fixed Version**: 3.3.4 65. **CVE ID**: CVE-2022-2439 66. **CVSS Score**: 7.2 (High) 67. **Public Release Date**: September 23, 2024 68. **Update Date**: September 24, 2024 69. **Researcher**: Rasoul Jahanshahi 70. **Vulnerability Description**: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 71. **Remediation Recommendation**: Upgrade to version 3.3.4 or higher. 72. **Affected Versions**: <= 3.3.3 73. **Fixed Version**: 3.3.4 74. **CVE ID**: CVE-2022-2439 75. **CVSS Score**: 7.2 (High) 76. **Public Release Date**: September 23, 2024 77. **Update Date**: September 24, 2024 78. **Researcher**: Rasoul Jahanshahi 79. **Vulnerability Description**: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Addit

Goal Reached Thanks to every supporter — we hit 100%!

Easy Digital Downloads <=3.3.3 Authenticated PHAR Deserialization (CVE-2022-2439)

More from this source