Easy Digital Downloads <=3.3.3 Authenticated PHAR Deserialization (CVE-2022-2439)

From this webpage screenshot, the following key vulnerability information can be obtained: 1. Plugin Name: Easy Digital Downloads - Simple eCommerce for Selling Digital Files <= 3.3.3 - Authenticated (Admin+) PHAR Deserialization 2. Version: <= 3.3.3 3. Severity: CVSS 7.2 (High) 4. Public Release Date: September 23, 2024 5. Update Date: September 24, 2024 6. Researcher: Rasoul Jahanshahi 7. Vulnerability Description: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 8. Remediation Recommendation: Upgrade to version 3.3.4 or higher. 9. Affected Versions: <= 3.3.3 10. Fixed Version: 3.3.4 11. CVE ID: CVE-2022-2439 12. CVSS Score: 7.2 (High) 13. Public Release Date: September 23, 2024 14. Update Date: September 24, 2024 15. Researcher: Rasoul Jahanshahi 16. Vulnerability Description: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 17. Remediation Recommendation: Upgrade to version 3.3.4 or higher. 18. Affected Versions: <= 3.3.3 19. Fixed Version: 3.3.4 20. CVE ID: CVE-2022-2439 21. CVSS Score: 7.2 (High) 22. Public Release Date: September 23, 2024 23. Update Date: September 24, 2024 24. Researcher: Rasoul Jahanshahi 25. Vulnerability Description: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 26. Remediation Recommendation: Upgrade to version 3.3.4 or higher. 27. Affected Versions: <= 3.3.3 28. Fixed Version: 3.3.4 29. CVE ID: CVE-2022-2439 30. CVSS Score: 7.2 (High) 31. Public Release Date: September 23, 2024 32. Update Date: September 24, 2024 33. Researcher: Rasoul Jahanshahi 34. Vulnerability Description: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 35. Remediation Recommendation: Upgrade to version 3.3.4 or higher. 36. Affected Versions: <= 3.3.3 37. Fixed Version: 3.3.4 38. CVE ID: CVE-2022-2439 39. CVSS Score: 7.2 (High) 40. Public Release Date: September 23, 2024 41. Update Date: September 24, 2024 42. Researcher: Rasoul Jahanshahi 43. Vulnerability Description: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 44. Remediation Recommendation: Upgrade to version 3.3.4 or higher. 45. Affected Versions: <= 3.3.3 46. Fixed Version: 3.3.4 47. CVE ID: CVE-2022-2439 48. CVSS Score: 7.2 (High) 49. Public Release Date: September 23, 2024 50. Update Date: September 24, 2024 51. Researcher: Rasoul Jahanshahi 52. Vulnerability Description: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 53. Remediation Recommendation: Upgrade to version 3.3.4 or higher. 54. Affected Versions: <= 3.3.3 55. Fixed Version: 3.3.4 56. CVE ID: CVE-2022-2439 57. CVSS Score: 7.2 (High) 58. Public Release Date: September 23, 2024 59. Update Date: September 24, 2024 60. Researcher: Rasoul Jahanshahi 61. Vulnerability Description: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 62. Remediation Recommendation: Upgrade to version 3.3.4 or higher. 63. Affected Versions: <= 3.3.3 64. Fixed Version: 3.3.4 65. CVE ID: CVE-2022-2439 66. CVSS Score: 7.2 (High) 67. Public Release Date: September 23, 2024 68. Update Date: September 24, 2024 69. Researcher: Rasoul Jahanshahi 70. Vulnerability Description: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 71. Remediation Recommendation: Upgrade to version 3.3.4 or higher. 72. Affected Versions: <= 3.3.3 73. Fixed Version: 3.3.4 74. CVE ID: CVE-2022-2439 75. CVSS Score: 7.2 (High) 76. Public Release Date: September 23, 2024 77. Update Date: September 24, 2024 78. Researcher: Rasoul Jahanshahi 79. Vulnerability Description: The plugin allows untrusted input via the file upload parameter and uses the PHAR wrapper for deserialization, enabling execution of arbitrary PHP objects. Additionally, a POP chain exists. 80. Remediation Recommendation: Upgrade to version 3.3.4 or higher. 81. Affected Versions: <= 3.3.3 82. Fixed Version: 3.3.4 83. CVE ID: CVE-2022-2439 84. CVSS Score: 7.2 (High) 85. Public Release Date: September 23, 2024 86. Update Date: September 24, 2024 87. Researcher: Rasoul Jahans

Goal Reached Thanks to every supporter — we hit 100%!

Easy Digital Downloads <=3.3.3 Authenticated PHAR Deserialization (CVE-2022-2439)

More from this source