CVE-2025-11271
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-11271, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-06

Last updated on: 2025-11-06

Assigner: Wordfence

Description

The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-06
Last Modified
2025-11-06
Generated
2026-07-06
AI Q&A
2025-11-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
awesomemotive easy_digital_downloads 3.5.2
awesomemotive easy_digital_downloads *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Easy Digital Downloads plugin for WordPress up to version 3.5.2. It allows an attacker to bypass order verification by including a specific parameter (verification_override=1) in the POST request body. Because this parameter is attacker-controlled, an unauthenticated attacker can submit a forged Instant Payment Notification (IPN) that the system treats as verified, even when verification is enabled. However, the attacker must have a valid PayPal transaction ID and a customer account, limiting the manipulation to orders they place themselves.

Impact Analysis

This vulnerability allows an attacker to manipulate orders by bypassing the verification process, potentially enabling them to fraudulently confirm orders they placed. This could lead to unauthorized access to products or services without proper payment confirmation, causing financial loss or disruption to the business operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart