Last night a crucial security flaw was discovered in the checkout process of Easy Digital Downloads and fixed immediately. Version 1.4.4.2 was pushed out and takes care of the issue. Please update immediately if you are on less than 1.4.4.2.

Due to the nature of the flaw, I cannot go into detail about exactly what the flaw was or how it could be exploited, but it had to do with user accounts and it was severe. The flaw permitted an experienced user who knew exactly what they were doing (and knew how to exploit the issue) to potentially gain admin access to sites running specific versions of EDD with specific configurations.

EDD versions affected: 1.4.2 – 1.4.4.1.

Version 1.4.4.2 fixes the problem

The flaw was discovered by Adam of Mint Themes, who, thankfully, reported it immediately, allowing us to send out a patch within 30 minutes of the discovery.

  1. Adewale

    This is true and I am grateful you discovered it on time and have done a patch for it. I noticed people making orders and the email address in the order details is admin@mywebsite.com and username, the admin name of my site’s admin account.
    I have to be up to the task to make sure no one was accessing the site with the admin account.

    • Pippin

      We are glad we found it too!

      Orders showing up like that are unlikely to be related to this flaw but it is still worth a check.

  2. Mike Thornton

    Hello, I am using the Easy Digital Downloads plug-in on a WordPress site I am building. I made the essential update(s), but the cart is not working. Did I miss something? Here’s the site/page I am using the plug-in: http://eddiefowlkes.com/?page_id=11

Comments are closed.