CVE-2026-7533
Cross-Site Request Forgery in Easy Digital Downloads Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| easy_digital_downloads | easy_digital_downloads | to 3.6.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Easy Digital Downloads plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 3.6.7. This occurs because the function handle_oauth_redirect(), which processes Square OAuth tokens from user-supplied GET parameters, does not verify a CSRF token (nonce). This function is triggered on the admin_init hook, allowing an attacker to trick a logged-in administrator into clicking a malicious link that can overwrite the store's Square payment gateway credentials.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to hijack the store's payment account by overwriting the Square payment gateway credentials. This happens when an administrator is tricked into clicking a crafted link, potentially leading to unauthorized control over payment processing and financial transactions.