Description
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-08-20
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Request Forgery
Action: Patch Immediately
AI Analysis

Impact

The vulnerability exists because the Easy Digital Downloads plugin’s edd_sendwp_disconnect() and edd_sendwp_remote_install() functions omit the required nonce validation. An unauthenticated attacker can construct a forged request that, when executed by a logged‑in site administrator, will either deactivate the plugin or install and activate the SendWP plugin. This may lead to loss of eCommerce functionality or unintended plugin behavior without the administrator’s knowledge.

Affected Systems

All installations of the Easy Digital Downloads WordPress plugin version 3.5.0 or earlier issued by the SMUB vendor are affected. The vulnerability applies to any site using that plugin, whether the administrator performs the action through a browser or via a malicious link.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, but the EPSS score of less than 1% suggests a low probability of real‑world exploitation at present. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack vector is most likely social‑engineering: an attacker must trick an administrator into clicking a crafted link that triggers the missing‑nonce request. Once the administrator’s session is used, the plugin can be deactivated, or the SendWP plugin can be force‑installed and activated on the site.

Generated by OpenCVE AI on April 21, 2026 at 03:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Digital Downloads to version 3.5.1 or later where nonce checks have been added.
  • If an upgrade is not immediately possible, disable the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions by removing or commenting them from the plugin’s code, or by uninstalling the SendWP plugin and blocking its remote‑install capability in the Easy Digital Downloads settings.
  • Educate administrators to avoid clicking suspicious links, enable multi‑factor authentication for WordPress admin accounts, and consider a security plugin that monitors and blocks anomalous POST requests carrying missing nonces.

Generated by OpenCVE AI on April 21, 2026 at 03:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28788 The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 20 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Easy Digital Downloads <= 3.5.0 - Cross-Site Request Forgery to Plugin Deactivation via edd_sendwp_disconnect and edd_sendwp_remote_install Functions
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:20.755Z

Reserved: 2025-07-23T20:45:30.551Z

Link: CVE-2025-8102

cve-icon Vulnrichment

Updated: 2025-08-20T13:18:04.519Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T12:15:29.273

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:30:26Z

Weaknesses