CVE-2025-11271
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-06

Last updated on: 2025-11-06

Assigner: Wordfence

Description
The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-06
Last Modified
2025-11-06
Generated
2026-06-16
AI Q&A
2025-11-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11271
EUVD
EUVD-2025-37973
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
awesomemotive easy_digital_downloads 3.5.2
awesomemotive easy_digital_downloads *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Easy Digital Downloads plugin for WordPress up to version 3.5.2. It allows an attacker to bypass order verification by including a specific parameter (verification_override=1) in the POST request body. Because this parameter is attacker-controlled, an unauthenticated attacker can submit a forged Instant Payment Notification (IPN) that the system treats as verified, even when verification is enabled. However, the attacker must have a valid PayPal transaction ID and a customer account, limiting the manipulation to orders they place themselves.

Impact Analysis

This vulnerability allows an attacker to manipulate orders by bypassing the verification process, potentially enabling them to fraudulently confirm orders they placed. This could lead to unauthorized access to products or services without proper payment confirmation, causing financial loss or disruption to the business operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart