Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-31
CVE-2025-14783 - Easy Digital Downloads Plugin
The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Easy Digital Downloads
CVE-2025-14783
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-11271 - Easy Digital Downloads Plugin
The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer…
PLUGIN
Easy Digital Downloads
CVE-2025-11271
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2025-8102 - Easy Digital Downloads Plugin
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Easy Digital Downloads
CVE-2025-8102
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-4670 - Easy Digital Downloads Plugin
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edd_receipt shortcode in all versions up to, and including, 3.3.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Digital Downloads
CVE-2025-4670
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2252 - Easy Digital Downloads Plugin
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal.
PLUGIN
Easy Digital Downloads
CVE-2025-2252
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-13517 - Easy Digital Downloads Plugin
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Easy Digital Downloads
CVE-2024-13517
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-12875 - Easy Digital Downloads Plugin
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Easy Digital Downloads
CVE-2024-12875
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-9654 - Easy Digital Downloads Plugin
The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they…
PLUGIN
Easy Digital Downloads
CVE-2024-9654
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-6691 - Easy Digital Downloads Plugin
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Easy Digital Downloads
CVE-2024-6691
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-6692 - Easy Digital Downloads Plugin
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Easy Digital Downloads
CVE-2024-6692
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-2302 - Easy Digital Downloads Plugin
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.9. This makes it possible for unauthenticated attackers to download the debug log via Directory Listing. This file may include PII.
PLUGIN
Easy Digital Downloads
CVE-2024-2302
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-0659 - Easy Digital Downloads Plugin
The Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Digital Downloads
CVE-2024-0659
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2023-0380 - Easy Digital Downloads Plugin
The Easy Digital Downloads WordPress plugin before 3.1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Easy Digital Downloads
CVE-2023-0380
Risk Score
Threat Entry
Updated 2025-04-03
CVE-2023-23489 - Easy Digital Downloads Plugin
The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action.
PLUGIN
Easy Digital Downloads
CVE-2023-23489
Risk Score
Threat Entry
Updated 2025-02-20
CVE-2022-33900 - Easy Digital Downloads Plugin
PHP Object Injection vulnerability in Easy Digital Downloads plugin
PLUGIN
Easy Digital Downloads
CVE-2022-33900
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2022-0706 - Easy Digital Downloads Plugin
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
PLUGIN
Easy Digital Downloads
CVE-2022-0706
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2022-0707 - Easy Digital Downloads Plugin
The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack
PLUGIN
Easy Digital Downloads
CVE-2022-0707
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2021-39354 - Easy Digital Downloads Plugin
The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2.
PLUGIN
Easy Digital Downloads
CVE-2021-39354
Risk Score