CVE-2024-9654: 
WordPress vulnerability analysis and mitigation

The Easy Digital Downloads plugin for WordPress contains an Improper Authorization vulnerability (CVE-2024-9654) affecting versions 3.1 through 3.3.4. The vulnerability was discovered and disclosed on December 17, 2024, impacting the WordPress plugin's security mechanisms (NVD).

The vulnerability stems from insufficient validation checks within the 'verifyguestemail' function, which fails to properly verify if the requesting user is the intended recipient of a purchase receipt. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with high attack complexity (NVD).

If exploited, this vulnerability allows unauthenticated attackers to bypass security restrictions and view purchase receipts of other users, which contain links to download paid content. The impact is limited to unauthorized access to purchase receipts and their associated download links (NVD).

The vulnerability has been patched in version 3.3.5 of the Easy Digital Downloads plugin. Users are advised to update to this version or later to protect against potential exploitation (NVD).