Security fix released

Earlier today an important security fix was released for Easy Digital Downloads. This update resolves a security vulnerability discovered in a large number of plugins through the collaborative efforts of the WordPress core development team, dozens of plugin developers, and researchers at Sucuri.com.

Due to improper usage of the add_query_arg() function, there were several locations in Easy Digital Downloads that were possibly susceptible to Cross-site Scripting attacks.

The probability of these vulnerabilities being exploited is minimal but in an effort to ensure that all users of Easy Digital Downloads are protected against even small odds of an attack, we have collaborated with the team at WordPress.org to deploy automatic updates to all sites using version 1.8 through 2.3. This means that unless you have opted out of automatic updates, your site will be automatically updated with a version of Easy Digital Downloads that has the exploit fixed.

Each version “branch” of Easy Digital Downloads will be updated separately. This means that if are still running version 2.1, you will be updated to version 2.1.11. If you are running version 1.8, you will only be updated to 1.8.7. This has been done so as to minimize changes to your sites as much as possible.

Here’s a break down of what version you will be updated to based on what you are currently running:

installed version updated to version
2.3.x 2.3.7
2.2.x 2.2.9
2.1.x 2.1.11
2.0.x 2.0.5
1.9.x 1.9.10
1.8.x 1.8.7

For more information about how automatic security updates work, please refer to this blog post on make.wordpress.org/plugins.

Extensions and Themes

Our entire catalogue of extensions and themes were also audited for the same security flaw and some were found to be vulnerable. All extensions and themes that were found to be vulnerable are very minor but it’s still important that you update to the latest version if you are using any of the extensions or themes listed below.

Note, none of the extensions or themes are being automatically updated like EDD core. This means you will need to install the update yourself, just like any other plugin or theme update. For commercial themes and extensions, you will need to have a valid and active license key in order to install the update.

Vulnerable extensions:

  • Amazon S3
  • Attach Accounts to Orders
  • Commissions
  • Content Restriction
  • Cross-sell Upsell
  • Conditional Success Redirects
  • CSV Manager
  • Favorites
  • Free Downloads
  • htaccess Editor
  • Invoices
  • Manual Purchases
  • PDF Invoices
  • PDF Stamper
  • Per Product Emails
  • Pushover Notifications
  • QR Code
  • Recommended Products
  • Recount Earnings
  • Recurring Payments
  • Reviews
  • Simple Shipping
  • Software Licensing
  • Stripe
  • Upload File
  • Wish Lists

Vulnerable themes:

  • Digital Store
  • Lattice
  • Quota
  • Shoppette
  • Twenty-Twelve – EDD

If you have any questions or concerns about this update, do not hesitate to let us know in the support forums.

Comments

Hey Pippin, thanks for this, I am waiting to hear back from my developer about this update now. Would not doing the update cause functionality problems with the site? Eg in the last day or so my landing pages post payment are no longer working (I was not aware until a few moments ago that you had released a security fix).

Thanks.

Reply

Unless you have opted out of automatic updates, your site probably already has the update installed since this was an automatically deployed update.

We’d be happy to help track down the payment issue for you if you’d like to open a support ticket.

Reply
Philip

I’m not sure I understand. Does the vulnerability lie in the mere presence of add_query_arg or remove_query_arg without those being wrapped in esc_url() ? I must be wrong because I see unescaped add_query_arg in EDD 2.3.8 ..

Reply

No, not all cases of add/remove_query_arg() are vulnerable. They are only vulnerable if the 3rd parameter passed to the function is an unescaped / trusted URL.

Reply

hello i have error Easy Digital Downloads 2.4.9 its in active plugin after successful installed say
“Warning: require_once(/home/asakereh/public_html/wp-content/plugins/easy-digital-downloads/includes/admin/upgrades/upgrade-functions.php): failed to open stream: No such file or directory in /home/asakereh/public_html/wp-content/plugins/easy-digital-downloads/easy-digital-downloads.php on line 322”
i am use fresh install wordpress4.3.1 with no other plugin and theme every time i want to active it failed
and i test old version 2.1 it work but not my option to use it

Reply

Please go ahead and open a support ticket and we will be happy to assist you: https://easydigitaldownloads.com/support/

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

If you need assistance, please open a support ticket.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Error: Please enter a valid email address

Error: Invalid email

Error: Please enter your first name

Error: Please enter your last name

Error: Please enter a username

Error: Please enter a password

Error: Please confirm your password

Error: Password and password confirmation do not match