{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8102", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-23T20:45:30.551Z", "datePublished": "2025-08-20T11:26:09.579Z", "dateUpdated": "2026-04-08T16:57:20.755Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:20.755Z"}, "affected": [{"vendor": "smub", "product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Easy Digital Downloads <= 3.5.0 - Cross-Site Request Forgery to Plugin Deactivation via edd_sendwp_disconnect and edd_sendwp_remote_install Functions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/636c9d92-ee62-499d-8d73-33cd63bb5af8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.5.0/includes/deprecated-functions.php#L1678"}, {"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3346633/easy-digital-downloads/trunk/includes/deprecated-functions.php?old=3328623&old_path=easy-digital-downloads%2Ftrunk%2Fincludes%2Fdeprecated-functions.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-07-29T06:39:26.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-19T23:05:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-20T13:18:00.586044Z", "id": "CVE-2025-8102", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T13:18:10.325Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8102", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-20T13:18:00.586044Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T13:18:04.519Z"}}], "cna": {"title": "Easy Digital Downloads <= 3.5.0 - Cross-Site Request Forgery to Plugin Deactivation via edd_sendwp_disconnect and edd_sendwp_remote_install Functions", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "smub", "product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-29T06:39:26.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-19T23:05:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/636c9d92-ee62-499d-8d73-33cd63bb5af8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.5.0/includes/deprecated-functions.php#L1678"}, {"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3346633/easy-digital-downloads/trunk/includes/deprecated-functions.php?old=3328623&old_path=easy-digital-downloads%2Ftrunk%2Fincludes%2Fdeprecated-functions.php"}], "descriptions": [{"lang": "en", "value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:20.755Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8102", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:20.755Z", "dateReserved": "2025-07-23T20:45:30.551Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-20T11:26:09.579Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Easy Digital Downloads para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 3.5.0 incluida. Esto se debe a la falta de validaciones de nonce en las funciones edd_sendwp_disconnect() y edd_sendwp_remote_install(). Esto permite que atacantes no autenticados desactiven o descarguen y activen el complemento SendWP mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-8102", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-20T12:15:29.273", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.5.0/includes/deprecated-functions.php#L1678"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3346633/easy-digital-downloads/trunk/includes/deprecated-functions.php?old=3328623&old_path=easy-digital-downloads%2Ftrunk%2Fincludes%2Fdeprecated-functions.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/636c9d92-ee62-499d-8d73-33cd63bb5af8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:26:07.410127+00:00", "value": {"mitigation_remediation": ["Upgrade Easy Digital Downloads to version 3.5.1 or later where nonce checks have been added.", "If an upgrade is not immediately possible, disable the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions by removing or commenting them from the plugin\u2019s code, or by uninstalling the SendWP plugin and blocking its remote\u2011install capability in the Easy Digital Downloads settings.", "Educate administrators to avoid clicking suspicious links, enable multi\u2011factor authentication for WordPress admin accounts, and consider a security plugin that monitors and blocks anomalous POST requests carrying missing nonces."], "summary": {"action": "Patch Immediately", "impact": "Cross-Site Request Forgery"}, "threat_synthesis": {"affected_systems": "All installations of the Easy Digital Downloads WordPress plugin version 3.5.0 or earlier issued by the SMUB vendor are affected. The vulnerability applies to any site using that plugin, whether the administrator performs the action through a browser or via a malicious link.", "description_and_impact": "The vulnerability exists because the Easy Digital Downloads plugin\u2019s edd_sendwp_disconnect() and edd_sendwp_remote_install() functions omit the required nonce validation. An unauthenticated attacker can construct a forged request that, when executed by a logged\u2011in site administrator, will either deactivate the plugin or install and activate the SendWP plugin. This may lead to loss of eCommerce functionality or unintended plugin behavior without the administrator\u2019s knowledge.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, but the EPSS score of less than 1% suggests a low probability of real\u2011world exploitation at present. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. The attack vector is most likely social\u2011engineering: an attacker must trick an administrator into clicking a crafted link that triggers the missing\u2011nonce request. Once the administrator\u2019s session is used, the plugin can be deactivated, or the SendWP plugin can be force\u2011installed and activated on the site."}}}}, "created": "2026-04-21T03:30:26.335554+00:00", "updated": "2026-04-21T03:30:26.335571+00:00", "vendors": []}