The plugin does not have authorisation and CSRF in its AJAX action, allowing unauthenticated users to call it, one in particular could allow them to reset any account’s password by knowing the username
CPE | Name | Operator | Version |
---|---|---|---|
easy-digital-downloads | lt | 3.1.1.4.2 |