{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11271", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-03T21:53:31.464Z", "datePublished": "2025-11-06T04:36:22.463Z", "dateUpdated": "2026-04-08T16:51:15.440Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:15.440Z"}, "affected": [{"vendor": "smub", "product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account."}], "title": "Easy Digital Download <= 3.5.2 - Insufficient Verification to Order Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c63154e-9413-47ea-a740-441618266adf?source=cve"}, {"url": "https://github.com/awesomemotive/easy-digital-downloads/blob/main/includes/gateways/paypal/ipn.php"}, {"url": "https://github.com/awesomemotive/easy-digital-downloads/blob/main/src/Gateways/PayPal/IPN.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3382964%40easy-digital-downloads%2Ftrunk&old=3364285%40easy-digital-downloads%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision", "cweId": "CWE-807", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jamie Davies"}], "timeline": [{"time": "2025-10-03T22:10:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-05T16:27:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-06T15:50:26.199391Z", "id": "CVE-2025-11271", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T15:50:35.023Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11271", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-06T15:50:26.199391Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T15:50:30.456Z"}}], "cna": {"title": "Easy Digital Download <= 3.5.2 - Insufficient Verification to Order Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Jamie Davies"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "smub", "product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-03T22:10:42.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-05T16:27:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c63154e-9413-47ea-a740-441618266adf?source=cve"}, {"url": "https://github.com/awesomemotive/easy-digital-downloads/blob/main/includes/gateways/paypal/ipn.php"}, {"url": "https://github.com/awesomemotive/easy-digital-downloads/blob/main/src/Gateways/PayPal/IPN.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3382964%40easy-digital-downloads%2Ftrunk&old=3364285%40easy-digital-downloads%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-807", "description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:15.440Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11271", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:15.440Z", "dateReserved": "2025-10-03T21:53:31.464Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-06T04:36:22.463Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account."}], "id": "CVE-2025-11271", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-06T05:15:54.917", "references": [{"source": "security@wordfence.com", "url": "https://github.com/awesomemotive/easy-digital-downloads/blob/main/includes/gateways/paypal/ipn.php"}, {"source": "security@wordfence.com", "url": "https://github.com/awesomemotive/easy-digital-downloads/blob/main/src/Gateways/PayPal/IPN.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3382964%40easy-digital-downloads%2Ftrunk&old=3364285%40easy-digital-downloads%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c63154e-9413-47ea-a740-441618266adf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-807"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:55:16.518049+00:00", "value": {"mitigation_remediation": ["Upgrade the Easy Digital Downloads plugin to version 3.5.3 or later, where the verification bypass has been fixed.", "If an upgrade is not immediately possible, modify the plugin source (or apply a custom filter) to remove or disable the verification_override parameter from the IPN handler so that all POST requests fall through the standard verification routine.", "Add an extra layer of validation that cross\u2011checks any received PayPal transaction ID against PayPal\u2019s verified transaction records before updating order status, thereby preventing forged IPN requests from manipulating the order state."], "summary": {"action": "Update", "impact": "Unauthenticated order manipulation via forged IPN verification bypass"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Easy Digital Downloads eCommerce plugin version 3.5.2 or earlier. The plugin vendor is smub and the product is the Easy Digital Downloads plugin for WordPress. Any site running a version up to and including 3.5.2 is vulnerable.", "description_and_impact": "The Easy Digital Downloads WordPress plugin allows an attacker to submit a forged PayPal IPN request that bypasses order verification when the POST body contains the parameter verification_override=1. Because this value is supplied by the attacker, the plugin treats the request as verified regardless of the normal verification setting. The attacker must supply a valid PayPal transaction ID and have an existing customer account, but otherwise can have the order status altered or created without actual payment confirmation, potentially leading to unauthorized fulfillment and financial loss.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score of <1% suggests that exploitation is unlikely at this time, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the ability to send arbitrary HTTP POST requests to the PayPal IPN endpoint, the knowledge of a valid PayPal transaction ID, and an existing user account on the site. Once these conditions are met, an unauthenticated actor can have the order marked as verified and influence order state without proper payment confirmation."}}}}, "created": "2025-11-06T10:06:43.996916+00:00", "updated": "2026-04-22T13:00:09.741143+00:00", "vendors": ["smub", "smub$PRODUCT$easy_digital_downloads", "wordpress", "wordpress$PRODUCT$wordpress"]}