CVE-2022-2439 HIGH

CVE-2022-2439: Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 3.3.3 - Authenticated (Admin+) PHAR Deserialization

Vendor Smub
Product Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Weakness CWE-502 · Unsafe deserialization
Published September 24, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'upload[file]' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using a PHAR wrapper, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.

Key dates

02Disclosure timeline

September 24, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-24378 WordPress EventPrime plugin <= 4.2.8.0 - PHP Object Injection vulnerability CVE-2020-5411 Jackson Configuration Allows Code Execution with Unknown "Serialization Gadgets" CVE-2025-2485 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated PHP Object Injection via PHAR to Arbitrary File Deletion CVE-2025-48018 Deserialization of Untrusted Data CVE-2024-1872 Button <= 1.1.27 - Authenticated (Contributor+) PHP Object Injection in button_shortcode