Easy Digital Downloads
Moderate fix1 remedy
cpe:2.3:a:easydigitaldownloads:easy_digital_downloads:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.6.2
Easy Digital Downloads Unvalidated Redirect Vulnerability in Password Reset Flow
Vulnerability
Patched
A vulnerability allowing unvalidated redirects has been identified in the Easy Digital Downloads plugin for WordPress, affecting all versions through 3.6.2. The issue arises from inadequate validation of the redirect URL provided via the 'edd_redirect' parameter. This flaw enables unauthenticated attackers to redirect users who are receiving password reset emails to potentially harmful websites, by tricking them into taking certain actions.
Impact
Exploitation of this vulnerability could lead to users being redirected to malicious sites, potentially causing harm or allowing for further attacks.
Reproduction
To reproduce this vulnerability, an attacker can exploit the 'edd_redirect' parameter in the password reset process. By inserting a malicious URL into this parameter, it's possible to redirect users to harmful sites when they receive their password reset email. This requires convincing the user to take an action that triggers the password reset process.
Remediation
Users are advised to update the Easy Digital Downloads plugin to version 3.6.3 or later.
Added: Dec 31, 2025, 7:23 AM
Updated: Dec 31, 2025, 7:23 AM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
0.6exploitability
7.6remediation
7.7relevance
1.8threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.