CVE-2025-14783 MEDIUM

CVE-2025-14783: Easy Digital Downloads <= 3.6.2 - Unvalidated Redirect in Password Reset Flow via edd_redirect

Vendor Smub
Product Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Weakness CWE-640 · Weak password recovery
Published December 31, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.

Explanation of Vulnerability in Simple Terms

02Summary

Easy Digital Downloads versions 3.6.2 and earlier contain a weakness that allows an attacker to modify data through user interaction. The vulnerability requires no authentication but does require the victim to visit a malicious link or page. The integrity of site data can be compromised, though confidentiality and availability are not affected.

What an attacker can do

03Attacker Capabilities

Modify site data or user information by tricking a visitor into clicking a malicious link.

Potential impact on your site

04Site Impact

Site data integrity may be compromised; user-generated content or settings could be altered without authorization.

Conditions required to exploit

05Prerequisites

Victim must click an attacker-supplied link or visit a malicious page; no login required.

Key dates

06Disclosure timeline

December 31, 2025 CVE published
April 8, 2026 Record updated