Easy Digital Downloads
Moderate fix1 remedy
cpe:2.3:a:easydigitaldownloads:easy_digital_downloads:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.5.2
Easy Digital Downloads Order Manipulation Vulnerability
Vulnerability
Patched
A vulnerability allowing order manipulation has been identified in the Easy Digital Downloads plugin for WordPress, affecting all versions through 3.5.2. The issue arises from an order verification bypass, where the verification process is skipped if the POST body includes 'verification_override=1'. This attacker-supplied value enables an unauthenticated user to submit a forged Instant Payment Notification (IPN) that is accepted as verified, even on live sites with verification enabled. To exploit this vulnerability, a valid PayPal transaction ID is required, limiting the manipulation to orders made by the attacker, who must also have a customer account.
Impact
Exploitation of this vulnerability allows for unauthorized order manipulation, including the potential to alter order statuses or transaction details.
Remediation
Users are advised to update the Easy Digital Downloads plugin to version 3.5.3 or a later patched version.
Added: Nov 6, 2025, 5:17 AM
Updated: Nov 6, 2025, 5:17 AM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
0.6exploitability
9.0remediation
7.7relevance
0.9threat
3.2urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.