Easy Digital Downloads Vulnerability– Sell Digital Files (eCommerce Store & Payments Made Easy) – Authenticated (Shop Manager+) Stored Cross-Site Scripting – CVE-2024-0659 | WordPress Plugin Vulnerability Report

Plugin Name: Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)

Key Information:

  • Software Type: Plugin
  • Software Slug: easy-digital-downloads
  • Software Status: Active
  • Software Author: smub
  • Software Downloads: 4,802,741
  • Active Installs: 50,000
  • Last Updated: February 8, 2024
  • Patched Versions: 3.2.7
  • Affected Versions: <= 3.2.6

Vulnerability Details:

  • Name: Easy Digital Downloads <= 3.2.6
  • Title: Authenticated (Shop Manager+) Stored Cross-Site Scripting via variable pricing options
  • Type: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-0659
  • CVSS Score: 5.5
  • Publicly Published: February 2, 2024
  • Researcher: emad
  • Description: Easy Digital Downloads, a prominent WordPress plugin designed for selling digital products, has been found to have a Stored Cross-Site Scripting vulnerability in its variable pricing option titles. This flaw, identified in versions up to and including 3.2.6, arises from inadequate input sanitization and output escaping, enabling attackers with shop manager-level access to embed malicious scripts. These scripts can be executed unsuspectingly by users, posing a risk to site integrity and user security.


Easy Digital Downloads is a critical tool for many WordPress-based eCommerce sites, facilitating the sale of digital products with ease. However, a significant security concern has been identified in versions up to and including 3.2.6, where the variable pricing option titles can be exploited to inject harmful scripts. This vulnerability, now patched in version 3.2.7, underscores the importance of maintaining up-to-date software to safeguard against potential security breaches.

Detailed Overview:

This vulnerability, discovered by researcher emad, highlights the subtle yet significant risks associated with insufficient data validation processes within plugins. The ability for shop managers to inject arbitrary scripts creates a vector for potential data breaches, unauthorized access, and manipulation of site content. The prompt issuance of a patch in version 3.2.7 by the plugin's developers is a testament to the critical nature of the vulnerability and the necessity for immediate remedial action.

Advice for Users:

  • Immediate Action: Update to version 3.2.7 immediately to mitigate the risk associated with this vulnerability.
  • Check for Signs of Vulnerability: Regularly monitor your site for any unusual activities or content alterations that might suggest exploitation.
  • Alternate Plugins: While the patched version rectifies this issue, exploring alternative eCommerce plugins can provide contingency options should future vulnerabilities arise.
  • Stay Updated: Consistently ensuring that all WordPress plugins and themes are up-to-date is essential for minimizing vulnerability to known security threats.


The swift action taken by the developers of Easy Digital Downloads to address this vulnerability serves as a crucial reminder of the importance of timely software updates in the realm of web security. Users are encouraged to promptly update to version 3.2.7 or later to protect their WordPress installations from potential exploits. This incident highlights the ongoing need for vigilance and proactive security measures in maintaining a secure and trustworthy online presence.


In the digital marketplace, where WordPress reigns supreme as the platform of choice for entrepreneurs and content creators, plugins like Easy Digital Downloads have become indispensable tools for e-commerce success. This plugin, known for its seamless integration and user-friendly interface for selling digital products, recently found itself at the center of a cybersecurity concern with the discovery of CVE-2024-0659. This incident not only sheds light on the specific vulnerabilities within widely used plugins but also emphasizes the broader imperative of maintaining up-to-date and secure digital environments.

Plugin Overview:

Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) is a pivotal WordPress plugin that simplifies the process of selling digital products online. With over 4.8 million downloads and 50,000 active installations, its influence is undeniable. Authored by smub and continuously updated, the plugin recently released version 3.2.7 to address the critical vulnerability found in its previous versions.

Vulnerability Insights:

CVE-2024-0659, identified in versions up to 3.2.6, manifests through the plugin's variable pricing options, where insufficient input sanitization and output escaping allowed shop managers to inject malicious scripts. This Stored Cross-Site Scripting vulnerability, discovered by researcher emad and publicly disclosed on February 2, 2024, posed significant risks to site integrity and user security by enabling unauthorized script execution.

Potential Risks:

The implications of such vulnerabilities extend beyond mere technical glitches; they can compromise sensitive user data, manipulate site content, and erode the trust that users place in digital platforms. For small business owners, the stakes are particularly high, as any breach can lead to substantial reputational damage and potential financial losses.

Remediation Steps:

To mitigate the risks associated with CVE-2024-0659, users are urged to update to the patched version 3.2.7 promptly. Beyond this immediate action, regularly monitoring for unusual site activity and exploring alternative e-commerce plugins can serve as additional safeguards. Maintaining up-to-date software is not just a recommendation; it's a critical component of web security.

Historical Context:

It's worth noting that Easy Digital Downloads is no stranger to vulnerabilities, with 21 previous incidents since April 20, 2015. This history underscores the ongoing battle against cyber threats and the importance of continuous vigilance in the digital space.

Concluding Thoughts:

For small business owners juggling myriad responsibilities, the task of staying abreast of every security update might seem daunting. However, the digital ecosystem's nature demands vigilance and proactive security measures to protect your online presence. The case of CVE-2024-0659 with Easy Digital Downloads serves as a poignant reminder of the ever-present need for diligence in updating and securing digital tools. By prioritizing regular updates and adhering to best security practices, you can safeguard your digital storefront against the relentless tide of cyber threats, ensuring a secure and trustworthy experience for your users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Easy Digital Downloads Vulnerability– Sell Digital Files (eCommerce Store & Payments Made Easy) – Authenticated (Shop Manager+) Stored Cross-Site Scripting – CVE-2024-0659 | WordPress Plugin Vulnerability Report FAQs

What is CVE-2024-0659?

CVE-2024-0659 is a designated identifier for a specific security vulnerability found in the Easy Digital Downloads WordPress plugin. This vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, arising from insufficient input sanitization and output escaping within the plugin's variable pricing options. It allows users with shop manager-level access or higher to inject malicious scripts, which can then be executed by anyone accessing the compromised pages.

This vulnerability was publicly disclosed on February 2, 2024, and affects all versions of the plugin up to and including 3.2.6. It highlights the importance of thorough security practices in plugin development and maintenance.

Leave a Comment