CVE-2024-5057: 
WordPress vulnerability analysis and mitigation

The Easy Digital Downloads WordPress plugin contains an SQL Injection vulnerability (CVE-2024-5057) that affects versions up to and including 3.2.12. The vulnerability was discovered by security researcher akas wisnu aji and was publicly disclosed on August 1, 2024. This unauthenticated SQL Injection vulnerability exists due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries (WPScan, Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and has received critical severity ratings. The CVSS v3.1 scores vary between sources, with NVD assigning a score of 9.8 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Patchstack rates it at 9.3 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L (NVD).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database. The high severity ratings indicate that successful exploitation could lead to significant data breaches and system compromise (WPScan).

The vulnerability has been patched in version 3.3.1 of the Easy Digital Downloads plugin. Users are strongly advised to update to this version or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).