CVE-2021-39354: 
WordPress vulnerability analysis and mitigation

The Easy Digital Downloads WordPress plugin (versions up to and including 2.11.2) was found to contain a Reflected Cross-Site Scripting vulnerability. The vulnerability exists in the payment history dashboard where the $start_date and $end_date parameters in the ~/includes/admin/payments/class-payments-table.php file were not properly escaped before being output back in attributes (WPScan, NVD).

The vulnerability is classified as a Reflected Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 score of 4.8 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability allows attackers to inject arbitrary web scripts through the start-date and end-date parameters in the payment history dashboard (Wordfence).

If exploited, this vulnerability allows attackers to inject arbitrary web scripts that execute in the context of other users' browsers when they access the affected pages. This could potentially lead to theft of sensitive information or manipulation of the admin interface (WPScan).

The vulnerability was fixed in version 2.11.2.1 of the Easy Digital Downloads plugin. Users should update to this version or later to protect against this security issue (WPScan).