CVE-2025-11271
BaseFortify
Publication date: 2025-11-06
Last updated on: 2025-11-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| awesomemotive | easy_digital_downloads | 3.5.2 |
| awesomemotive | easy_digital_downloads | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Easy Digital Downloads plugin for WordPress up to version 3.5.2. It allows an attacker to bypass order verification by including a specific parameter (verification_override=1) in the POST request body. Because this parameter is attacker-controlled, an unauthenticated attacker can submit a forged Instant Payment Notification (IPN) that the system treats as verified, even when verification is enabled. However, the attacker must have a valid PayPal transaction ID and a customer account, limiting the manipulation to orders they place themselves.
How can this vulnerability impact me? :
This vulnerability allows an attacker to manipulate orders by bypassing the verification process, potentially enabling them to fraudulently confirm orders they placed. This could lead to unauthorized access to products or services without proper payment confirmation, causing financial loss or disruption to the business operations.