What the vulnerability does
01Description
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal.
Explanation of Vulnerability in Simple Terms
02Summary
Easy Digital Downloads versions 3.3.6.1 and earlier expose sensitive information to unauthenticated attackers over the network. The vulnerability allows an attacker to read data that should be restricted, such as customer details or transaction information. No user interaction or special privileges are required to exploit this flaw. Site administrators should update to a version newer than 3.3.6.1 as soon as a patch becomes available.
What an attacker can do
03Attacker Capabilities
Read sensitive information like customer data or transaction details without authentication.
Potential impact on your site
04Site Impact
Customer data and transaction information may be exposed to unauthorized parties.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 25, 2025
CVE published
April 8, 2026
Record updated