What the vulnerability does
01Description
The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
Explanation of Vulnerability in Simple Terms
02Summary
Easy Digital Downloads versions 3.6.2 and earlier contain a weakness that allows an attacker to modify data through user interaction. The vulnerability requires no authentication but does require the victim to visit a malicious link or page. The integrity of site data can be compromised, though confidentiality and availability are not affected.
What an attacker can do
03Attacker Capabilities
Modify site data or user information by tricking a visitor into clicking a malicious link.
Potential impact on your site
04Site Impact
Site data integrity may be compromised; user-generated content or settings could be altered without authorization.
Conditions required to exploit
05Prerequisites
Victim must click an attacker-supplied link or visit a malicious page; no login required.
Key dates
06Disclosure timeline
December 31, 2025
CVE published
April 8, 2026
Record updated