CVE-2026-7533 - Vulnerability Details

- Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter

Description

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking.

Published: 2026-05-28

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Easy Digital Downloads plugin for WordPress contains a flaw in the handle_oauth_redirect() function. A nonce check is omitted, allowing an attacker to send a crafted request with a square_tokens parameter that the server processes as if it came from an authenticated administrator. This missing CSRF protection means an unauthenticated attacker can trick a logged‑in admin into clicking a link that overwrites the store’s Square payment gateway credentials, potentially leading to hijacked payment accounts.

Affected Systems

All installations of the Easy Digital Downloads plugin version 3.6.7 and earlier are vulnerable. The product is the Easy Digital Downloads eCommerce Payments and Subscriptions plugin for WordPress. No specific sub‑versions or extensions are listed separately.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity threat. The EPSS score is not available, but the lack of any exploit code in the public domain and the fact that it is not listed in CISA’s KEV catalog suggest a moderate likelihood of exploitation. Inferred attack vector: an attacker would craft a URL containing a square_tokens parameter and lure a logged‑in administrator to click it, thereby executing the CSRF attack without authentication.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

smub

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.6.7

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Easy Digital Downloads to the latest release (v3.6.8 or newer) which adds nonce verification to the OAuth redirect handler.
If an immediate update is not feasible, temporarily disable the Square gateway in the plugin settings so no credentials can be overwritten until the patch is applied.
After applying the patch or disabling the gateway, monitor user activity for anomalous changes to payment gateway settings and ensure that no unauthorized changes persist.

Generated by OpenCVE AI on May 28, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L47
https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L58
https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Gateway.php#L114
https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L47
https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L58
https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Gateway.php#L114
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3536197%40easy-digital-downloads&old=3511193%40easy-digital-downloads&sfp_email=&sfph_mail=#file6607
https://www.wordfence.com/threat-intel/vulnerabilities/id/e375f761-459c-4cad-823b-2a94ac901410?source=cve

History

Thu, 28 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 06:00:00 +0000

Type	Values Removed	Values Added
Description		The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking.
Title		Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter
Weaknesses		CWE-352
References		https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L47 https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L58 https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Gateway.php#L114 https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L47 https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L58 https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Gateway.php#L114 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3536197%40easy-digital-downloads&old=3511193%40easy-digital-downloads&sfp_email=&sfph_mail=#file6607 https://www.wordfence.com/threat-intel/vulnerabilities/id/e375f761-459c-4cad-823b-2a94ac901410?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-28T05:30:41.186Z

Updated: 2026-05-28T10:36:05.265Z

Reserved: 2026-04-30T18:01:14.679Z

Link: CVE-2026-7533

Vulnrichment

Updated: 2026-05-28T10:35:59.658Z

NVD

Status : Deferred

Published: 2026-05-28T06:16:28.730

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-7533

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T07:30:11Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object