On 12/5/2014 I contacted Pippin Williamson at Easy Digital Downloads to notify of some discovered security issues. He was very thankful and quick to resolve these issues and on 12/9/2014 version 2.2 was released.
Unfortunately there was not any explicit notification in the release notes of any security vulnerability, but they were visible in the github commit messages. It is recommended you upgrade right away, especially if you are selling products and like to get paid!
There were two classes of vulnerabilities discovered. The first was the typical not verifying the user has proper permission/nonce of an AJAX request. The second, which is apparently not a bug but an intentional feature, allows any action/filter that starts with ‘edd_’ to be called.
Some of the capabilities these vulnerabilities allow:
- Logged in users (not just admin) can update prices on arbitrary items
- Anyone can display a list of all banned emails
- Anyone can change tax rates
- Anyone can mark arbitrary orders as paid without actually paying
If you are a plugin developer that extends the Easy Digital Downloads plugin, make sure that any actions/filters you add that begin with ‘edd_’ are properly checking permissions.