CVE-2024-9654 is a security vulnerability classified under CWE-863 (Incorrect Authorization) affecting the Easy Digital Downloads plugin for WordPress, specifically versions 3.1 through 3.3.4. The flaw exists in the 'verify_guest_email' function, which fails to adequately verify that the user requesting a purchase receipt is the legitimate recipient. This improper authorization allows unauthenticated attackers to bypass security controls and retrieve purchase receipts belonging to other customers. These receipts contain direct links to download paid digital content, effectively enabling unauthorized access to paid materials without payment. Successful exploitation requires the attacker to know the victim's email address and the file ID of the purchased content, which may limit the attack surface but still poses a privacy and content theft risk. The vulnerability does not affect system integrity or availability and does not require user interaction or authentication, but the attack complexity is high due to the need for specific information. No patches or exploits are currently documented, but the vulnerability is publicly disclosed as of December 17, 2024. The CVSS v3.1 base score is 3.7, reflecting a low severity rating primarily due to limited impact and exploitation complexity.

The primary impact of CVE-2024-9654 is unauthorized disclosure of purchase receipts and access to paid digital content. This can lead to revenue loss for content providers as attackers can download paid materials without authorization. Additionally, the exposure of purchase receipts may reveal sensitive customer information, potentially violating privacy regulations such as GDPR. While the vulnerability does not compromise system integrity or availability, it undermines trust in the e-commerce platform and may damage the reputation of affected organizations. Attackers with knowledge of customer emails and file IDs could exploit this flaw to access multiple users' content, especially in scenarios where email addresses are easily guessable or leaked. Organizations relying on Easy Digital Downloads for digital sales are at risk of content theft and customer data exposure, which can have financial and legal consequences.

Organizations should immediately verify if they are running affected versions (3.1 through 3.3.4) of the Easy Digital Downloads plugin and plan to upgrade to a patched version once released by the vendor. Until a patch is available, administrators can implement access controls to restrict access to purchase receipt endpoints, such as IP whitelisting or requiring user authentication for receipt retrieval. Monitoring web server logs for suspicious access patterns involving receipt URLs and email enumeration attempts can help detect exploitation attempts. Additionally, organizations should educate customers on protecting their email addresses and consider implementing rate limiting or CAPTCHA protections on endpoints that handle receipt verification requests. Reviewing and enhancing authorization checks in custom plugin extensions or integrations can further reduce risk. Regular security audits and vulnerability scanning of WordPress plugins are recommended to identify and remediate similar issues proactively.