Unrated severityNVD Advisory· Published Sep 24, 2024· Updated Apr 8, 2026
Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 3.3.3 - Authenticated (Admin+) PHAR Deserialization
CVE-2022-2439
Description
The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'upload[file]' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using a PHAR wrapper, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: <=3.3.3
- smub/Easy Digital Downloads – eCommerce Payments and Subscriptions made easyv5Range: 0
Patches
Vulnerability mechanics
References
3- plugins.trac.wordpress.org/changeset/3154854/easy-digital-downloads/tags/3.3.4/includes/admin/import/import-functions.phpmitre
- plugins.trac.wordpress.org/changeset/3154854/easy-digital-downloads/tags/3.3.4/src/Utils/FileSystem.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/644c8702-08ad-4048-ae91-041f1771f1dcmitre
News mentions
0No linked articles in our index yet.