Description
The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account.
Published: 2025-11-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated order manipulation via forged IPN verification bypass
Action: Update
AI Analysis

Impact

The Easy Digital Downloads WordPress plugin allows an attacker to submit a forged PayPal IPN request that bypasses order verification when the POST body contains the parameter verification_override=1. Because this value is supplied by the attacker, the plugin treats the request as verified regardless of the normal verification setting. The attacker must supply a valid PayPal transaction ID and have an existing customer account, but otherwise can have the order status altered or created without actual payment confirmation, potentially leading to unauthorized fulfillment and financial loss.

Affected Systems

WordPress sites that use the Easy Digital Downloads eCommerce plugin version 3.5.2 or earlier. The plugin vendor is smub and the product is the Easy Digital Downloads plugin for WordPress. Any site running a version up to and including 3.5.2 is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of <1% suggests that exploitation is unlikely at this time, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the ability to send arbitrary HTTP POST requests to the PayPal IPN endpoint, the knowledge of a valid PayPal transaction ID, and an existing user account on the site. Once these conditions are met, an unauthenticated actor can have the order marked as verified and influence order state without proper payment confirmation.

Generated by OpenCVE AI on April 22, 2026 at 12:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Easy Digital Downloads plugin to version 3.5.3 or later, where the verification bypass has been fixed.
  • If an upgrade is not immediately possible, modify the plugin source (or apply a custom filter) to remove or disable the verification_override parameter from the IPN handler so that all POST requests fall through the standard verification routine.
  • Add an extra layer of validation that cross‑checks any received PayPal transaction ID against PayPal’s verified transaction records before updating order status, thereby preventing forged IPN requests from manipulating the order state.

Generated by OpenCVE AI on April 22, 2026 at 12:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 06 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub easy Digital Downloads
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub easy Digital Downloads
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account.
Title Easy Digital Download <= 3.5.2 - Insufficient Verification to Order Manipulation
Weaknesses CWE-807
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Smub Easy Digital Downloads
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:15.440Z

Reserved: 2025-10-03T21:53:31.464Z

Link: CVE-2025-11271

cve-icon Vulnrichment

Updated: 2025-11-06T15:50:30.456Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T05:15:54.917

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses