Impact
What kind of vulnerability is it? Who is impacted?
This is an authentication bypass vulnerability. Stores with no API keys created are vulnerable.
Patches
Has the problem been patched? What versions should users upgrade to?
This is patched in versions 2.8.20 and 2.9.17 of Easy Digital Downloads
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Going to Tools > API Keys and generating a single API key will prevent the bypass from being exploited.
References
Are there any links users can visit to find out more?
As GiveWP is a fork of EDD, this blog post explains the bypass that is present in Easy Digital Downloads:
https://www.wordfence.com/blog/2019/09/authentication-bypass-vulnerability-in-givewp-plugin/
For more information
If you have any questions or comments about this advisory:
Impact
What kind of vulnerability is it? Who is impacted?
This is an authentication bypass vulnerability. Stores with no API keys created are vulnerable.
Patches
Has the problem been patched? What versions should users upgrade to?
This is patched in versions 2.8.20 and 2.9.17 of Easy Digital Downloads
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Going to
Tools > API Keysand generating a single API key will prevent the bypass from being exploited.References
Are there any links users can visit to find out more?
As GiveWP is a fork of EDD, this blog post explains the bypass that is present in Easy Digital Downloads:
https://www.wordfence.com/blog/2019/09/authentication-bypass-vulnerability-in-givewp-plugin/
For more information
If you have any questions or comments about this advisory: