Easy Digital Download < 3.5.3 – Insufficient Verification to Order Manipulation | CVE 2025-11271 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Order Manipulation due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account.

Affects Plugins

easy-digital-downloads

Fixed in 3.5.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4c63154e-9413-47ea-a740-441618266adf

Miscellaneous

Original Researcher

Jay

Verified

No

WPVDB ID

e0f118c4-a256-486d-8dc0-9a9d652c2e55

Timeline

Publicly Published

2025-11-05 (about 7 months ago)

Added

2025-11-06 (about 7 months ago)

Last Updated

2025-11-06 (about 7 months ago)

Other

Published

Title

Published

2025-08-21

Title

Wp Edit Password Protected < 1.3.5 - Protection Bypass via REST API

Published

2019-05-19

Title

Option Tree < 2.7.3 - Object Injection Bypass

Published

2023-01-30

Title

PrivateContent < 8.4.4 - Brute Force Protection Bypass

Published

2018-10-02

Title

Wordfence < 7.1.14 - Username Enumeration Prevention Bypass

Published

2019-01-25

Title

Total Donations - Update Arbitrary WordPress Option Values