WordPress Plugin: Easy Digital Downloads – Security Flaw Discovered and Patched

Last night we were contacted by Adam Pickering about a security flaw discovered in Easy Digital Downloads (EDD), a free WordPress eCommerce plugin that allows you to sell digital downloads. If you use EDD and haven’t done so already, please make sure to upgrade to Version immediately!

The plugin author, Pippin Williamson received word about the flaw within hours of it being validated, and had a patched version up on the WordPress Plugin Directory within the hour.

Here is an excerpt from the post Pippin released on the official Easy Digital Downloads blog this morning:

Due to the nature of the flaw, we cannot go into detail about exactly what the flaw was or how it could be exploited, but it had to do with user accounts and it was severe. The flaw permitted an experienced user who knew exactly what they were doing (and knew how to exploit the issue) to potentially gain admin access to sites running specific versions of EDD with specific configurations.

EDD versions affected: 1.4.2 –

Version fixes the problem

Take Action

Bugs and security issues happen. With responsible authors like Pippin, you’ll get quick action to rectify any shortfalls found within their products. From there it’s on you to do the right thing and ensure you’re maintaining your site!

I personally validated this flaw, and the patch is indeed needed. I recommend you upgrade as soon as possible.

Leave us your comments or thoughts below. If you have questions about your site, feel free to email info@sucuri.net.

About Tony Perez

Tony works at Sucuri. His passion lies in educating and bringing awareness about online threats to business owners. He spends his time giving presentations and writing content that everyday website owners can appreciate. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at Tony on Security and you can follow him on Twitter at @perezbox.

  • http://www.wmwebdesign.co.uk/ Keith Davis

    Given it a tweet Dre with a link back to this article.
    It’s tough out there – that’s why I signed up with you boys.

  • Pingback: Tips Tuesday – Time to Change How You Blog - BlogAid()

  • http://www.yepinkizi.com/ yepi kizi

    Thank you for this post, It was a great read which was extremely helpful.

  • Pingback: WordPress Security Threats - Feb/2013 - WPForce()

  • marukim

    Thanks a lot. I like your blog.

  • http://wpspeak.com/ Rudd

    Nice. I heard nothing but only good things about EDD and Pippin. Glad he had taken fast action.

  • http://www.friv2jogos.com/ Friv 2

    Thanks post. good information.

  • http://www.y8u.org/ Y8

    Additionally you make many valid points with compelling, completely
    unique content.
    Additionally you make many valid points with compelling, completely
    unique content.