Description
The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
Published: 2025-12-31
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Phishing via user redirection
Action: Immediate Patch
AI Analysis

Impact

The Easy Digital Downloads WordPress plugin contains an unvalidated redirect flaw in the password‑reset workflow. An unauthenticated attacker can supply a malicious URL with the edd_redirect parameter, causing the password‑reset email to link to a site of the attacker’s choosing. This redirect can be used to trick users into visiting phishing pages that harvest credentials or install malware. The vulnerability does not provide direct code execution but enables social engineering attacks that compromise user confidentiality and could undermine the integrity of the site’s authentication process.

Affected Systems

All installations of the Easy Digital Downloads plugin for WordPress up to and including version 3.6.2 are affected. The vulnerability is tied to the password‑reset functionality whereby a redirect URL is supplied via the edd_redirect parameter.

Risk and Exploitability

The CVSS score of 4.3 reflects a medium impact but low exploitation potential; the EPSS score of less than 1% indicates that exploitation is unlikely at this time. The flaw is not currently listed in the CISA KEV catalogue, suggesting limited known exploitation. Nevertheless an attacker could exploit this by persuading a user to click a password‑reset link that is redirected to a malicious site, making the threat realistic for any website that relies on the plugin and uses the default password‑reset flow.

Generated by OpenCVE AI on April 21, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Easy Digital Downloads plugin to version 3.6.3 or later, which removes the unvalidated redirect handling.
  • If an update cannot be applied immediately, restrict the edd_redirect parameter to trusted URLs or disable the redirect feature for password reset emails so that no external redirect can occur.
  • Audit the authentication and password recovery pages of the site to ensure that no other redirect parameters are accepted without strict validation, following best practices for preventing CWE‑640 style vulnerabilities.

Generated by OpenCVE AI on April 21, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub easy Digital Downloads
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub easy Digital Downloads
Wordpress
Wordpress wordpress

Wed, 31 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 31 Dec 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
Title Easy Digital Downloads <= 3.6.2 - Unvalidated Redirect in Password Reset Flow via edd_redirect
Weaknesses CWE-640
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Smub Easy Digital Downloads
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:21.110Z

Reserved: 2025-12-16T13:32:13.229Z

Link: CVE-2025-14783

cve-icon Vulnrichment

Updated: 2025-12-31T16:25:48.046Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T07:15:49.197

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses