CVE-2024-12875: 
WordPress vulnerability analysis and mitigation

The Easy Digital Downloads – eCommerce Payments and Subscriptions plugin for WordPress has been identified with a Directory Traversal vulnerability (CVE-2024-12875) affecting all versions up to and including 3.3.2. The vulnerability was discovered and disclosed on December 21, 2024, impacting the plugin's file download functionality (NVD CVE).

The vulnerability is classified as a Directory Traversal (CWE-22) and External Control of File Name or Path (CWE-73) issue. It has received a CVSS v3.1 Base Score of 4.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. This indicates that while the vulnerability requires high privileges to exploit, it can be accessed over the network and requires no user interaction (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with Administrator-level access or higher to read the contents of arbitrary files on the server. This access could potentially expose sensitive information stored on the server (NVD CVE).

A patch has been released in version 3.3.3 of the Easy Digital Downloads plugin. Users are advised to update their installations to this version or later to mitigate the vulnerability (WordPress Patch).