CVE-2022-2387 in Easy Digital Downloads Plugininfo

Summary

by MITRE • 11/07/2022

The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/25/2026

The vulnerability identified as CVE-2022-2387 affects the Easy Digital Downloads WordPress plugin version 2.10.1 and earlier, representing a critical security flaw that undermines the integrity of administrative operations within WordPress environments. This issue stems from the absence of proper cross-site request forgery protection mechanisms within the plugin's payment history deletion functionality, creating a significant attack vector for malicious actors who can manipulate authenticated administrators into performing unauthorized actions. The vulnerability specifically targets the administrative interface where payment records are managed, exploiting the lack of validation controls that should verify the legitimacy of deletion requests.

The technical implementation flaw resides in the plugin's failure to implement proper CSRF token validation when processing payment history deletion requests. According to CWE-352, this represents a classic cross-site request forgery vulnerability where the application does not adequately verify the origin of requests. The vulnerability manifests because the plugin accepts deletion commands without confirming that they originate from legitimate administrative interfaces or that the targeted posts are indeed payment records. This weakness allows attackers to craft malicious requests that appear to come from authenticated administrators, exploiting the trust relationship between the WordPress admin interface and the Easy Digital Downloads plugin.

The operational impact of this vulnerability extends beyond simple data manipulation, as it enables attackers to potentially cause significant disruption to e-commerce operations and financial record keeping. An attacker who successfully executes a CSRF attack could delete payment records, leading to data loss and financial discrepancies that would be difficult to trace or recover from. The vulnerability affects any administrator who is logged into the WordPress admin panel when visiting a malicious website, making it particularly dangerous in environments where administrators frequently browse untrusted sites. This threat scenario aligns with ATT&CK technique T1078.004 which describes legitimate credentials usage for persistence and privilege escalation through administrative access exploitation.

The attack vector requires minimal technical sophistication, as it relies on social engineering to get administrators to visit malicious sites while authenticated to their WordPress installations. The vulnerability is particularly concerning because payment history deletion is a critical administrative function that directly impacts financial data integrity. Organizations using Easy Digital Downloads plugin versions prior to 3.0 are at risk of unauthorized data manipulation, potential financial loss, and disruption of their e-commerce operations. The lack of proper post type validation means attackers could potentially delete other types of posts, though the primary concern focuses on payment records that maintain financial transaction histories.

Mitigation strategies should prioritize immediate plugin updates to version 3.0 or later, which implements proper CSRF protection mechanisms. Administrators should also consider implementing additional security measures such as two-factor authentication, regular security audits of installed plugins, and monitoring of administrative actions within WordPress environments. The fix addresses the core issue by implementing proper CSRF token validation and ensuring that only legitimate payment history records can be deleted through the administrative interface. Organizations should also review their plugin management practices to ensure timely updates and maintain security awareness training for administrative users to prevent social engineering attacks that exploit this vulnerability.

Reservation

07/12/2022

Disclosure

11/07/2022

Moderation

accepted

CPE

ready

EPSS

0.00286

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!