What the vulnerability does
01Description
The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account.
Explanation of Vulnerability in Simple Terms
02Summary
Easy Digital Downloads versions 3.5.2 and earlier contain a flaw that allows attackers to modify data without authentication. The vulnerability requires only network access and no user interaction. Site administrators should update to a version newer than 3.5.2 to prevent unauthorized data changes.
What an attacker can do
03Attacker Capabilities
Modify site data without logging in.
Potential impact on your site
04Site Impact
Attackers can alter product information, pricing, or other critical eCommerce data without your knowledge.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 6, 2025
CVE published
April 8, 2026
Record updated