CVE-2022-2387 - How a CSRF Flaw in Easy Digital Downloads Plugin Let Attackers Delete Any WordPress Post

If you run an e-commerce site on WordPress, there’s a good chance you’ve heard of Easy Digital Downloads (EDD). It’s one of the most popular plugins for selling digital products. But did you know that before version 3., this plugin had a dangerous vulnerability? Let’s break down CVE-2022-2387 in plain language, show you how it could be exploited, and help you protect your site.

What Is CVE-2022-2387?

CVE-2022-2387 is a security hole in Easy Digital Downloads (EDD), a WordPress plugin that powers thousands of online stores. The flaw lets attackers trick admins into deleting any post on their WordPress website, not just payment records. This is possible by abusing a web security weakness called CSRF (Cross-Site Request Forgery).

There was no CSRF check when deleting payment records.

- The plugin also didn’t verify that the item being deleted was actually a payment record—it could be any post.

So if an attacker could lure a logged-in admin to click a malicious link or visit a trap site, that admin’s browser would silently send a request that deletes *any post*—even pages or blog posts.

Technical Deep Dive

The vulnerable code is in the part of EDD that handles deletion of payments. Here’s a simplified, relevant code snippet (before v3.):

// NO verification of CSRF nonce!
if ( isset( $_GET['action'] ) && $_GET['action'] === 'delete' && isset( $_GET['post'] ) ) {
    $post_id = intval( $_GET['post'] );

    // NO check to ensure it's actually a payment post type!
    wp_delete_post( $post_id, true );
    // Redirect or render response
}

Attacker crafts a malicious link that triggers the deletion action

`html

https://victimsite.com/wp-admin/edit.php?post_type=download&page=edd-payments&action=delete&post=42" />

Admin is logged in to their site (has a valid session).

3. Admin visits attacker’s page or clicks the link. Their browser will send a request to the site as if the admin had clicked 'delete' themselves.
4. The specified post (with ID 42) is deleted by the site, even if it’s a blog post, a critical page, or something else important.

*Note: The attacker needs to know or guess a valid post ID, but that's often easy on public WordPress sites.*

What Is CSRF, Anyway?

Cross-Site Request Forgery (CSRF) means tricking an authenticated user into performing an action they didn't intend—like deleting a post—simply by tricking them into visiting a malicious website. The action is carried out with *their* browser and *their* login session, so the site thinks the request is legitimate!

Sample patched code

if (
  isset($_GET['action'], $_GET['_wpnonce']) && $_GET['action'] === 'delete' &&
  wp_verify_nonce($_GET['_wpnonce'], 'delete_payment') &&
  isset($_GET['post'])
) {
    $post_id = intval($_GET['post']);

    if ('edd_payment' === get_post_type($post_id)) {
        wp_delete_post($post_id, true);
    }
}

How To Protect Your Site

- Update Easy Digital Downloads immediately! Version 3. or later is safe. Download the latest version.

Taken down your business during a crucial sale window

Remember: CSRF attacks are usually invisible. The admin might not realize something was wrong until days later.

Further Reading and References

- Original CVE Entry
- Wordfence advisory
- Easy Digital Downloads Changelog
- OWASP CSRF Explanation

Summary

CVE-2022-2387 is a textbook example of why CSRF protection and proper input validation matter. WordPress site owners running Easy Digital Downloads should update ASAP, and any plugin authors should always protect sensitive actions with nonces and post type checks.

By understanding vulnerabilities like these, you can keep your site—and your business—safer!


*Stay secure, and always keep your plugins up to date!*

Timeline

Published on: 11/07/2022 10:15:00 UTC
Last modified on: 11/09/2022 20:00:00 UTC