VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 39 known issues Latest disclosed Dec 30, 2025

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy Vulnerabilities

Review known vulnerability records for the WordPress plugin Easy Digital Downloads – eCommerce Payments and Subscriptions made easy (`easy-digital-downloads`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-14783, CVE-2025-11271 and CVE-2025-8102, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
39
High or Critical
10
Patch Coverage
100%
Last Updated
Dec 31, 2025
Priority CVE Quick Links

Fast paths into Easy Digital Downloads – eCommerce Payments and Subscriptions made easy CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
33
CVE-2024-5057 Critical 3.3.1
CVE-2024-5057 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy SQL Injection

Easy Digital Downloads <= 3.2.12 - Unauthenticated SQL Injection

CVE-2023-30869 Critical 3.1.1.4.2
CVE-2023-30869 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy Privilege Escalation

Easy Digital Downloads 3.1 - 3.1.1.4.1 - Unauthenticated Arbitrary Password Reset to Privilege Escalation

CVE-2023-23489 Critical 3.1.0.4
CVE-2023-23489 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy SQL Injection

Easy Digital Downloads < 3.1.0.4 - SQL Injection

CVE-2022-33900 Critical 3.0.2
CVE-2022-33900 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy Vulnerability

Easy Digital Downloads <= 3.0.1 - PHP Object Injection

CVE-2015-9324 Critical 2.3.3
CVE-2015-9324 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy SQL Injection

Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 2.3.2 - SQL Injection

CVE-2022-2387 High 3.0
CVE-2022-2387 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy Cross-Site Request Forgery

Easy Digital Downloads <= 2.11.7 - Cross-Site Request Forgery to Arbitrary Post Deletion

CVE-2022-3600 High 3.1.0.2
CVE-2022-3600 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy Vulnerability

Easy Digital Downloads <= 3.1.0.1.1 - Unauthenticated CSV Injection

CVE-2022-0707 High 2.11.6
CVE-2022-0707 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy Cross-Site Request Forgery

Easy Digital Downloads <= 2.11.5 - Cross-Site Request Forgery

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Easy Digital Downloads – eCommerce Payments and Subscriptions made easy so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
39 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
6 critical and 4 high severity findings.
Recent CVEs
CVE-2025-14783, CVE-2025-11271 and CVE-2025-8102
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-14783
CVE-2025-14783: Easy Digital Downloads <= 3.6.2 - Unvalidated Redirect in Password Reset Flow via edd_redirect

The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated atta...

Published
Dec 30, 2025
Patched Release
3.6.3
Affected Versions
Versions up to 3.6.2
Next Step
Update to 3.6.3 or newer if supported.
Open CVE-2025-14783 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-11271
CVE-2025-11271: Easy Digital Download <= 3.5.2 - Insufficient Verification to Order Manipulation

The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value...

Published
Nov 05, 2025
Patched Release
3.5.3
Affected Versions
Versions up to 3.5.2
Next Step
Update to 3.5.3 or newer if supported.
Open CVE-2025-11271 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8102
CVE-2025-8102: Easy Digital Downloads <= 3.5.0 - Cross-Site Request Forgery to Plugin Deactivation via edd_sendwp_disconnect and edd_sendwp_remote_install Functions

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for u...

Published
Aug 19, 2025
Patched Release
3.5.1
Affected Versions
Versions up to 3.5.0
Next Step
Update to 3.5.1 or newer if supported.
Open CVE-2025-8102 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-4670
CVE-2025-4670: Easy Digital Downloads <= 3.3.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via edd_receipt Shortcode

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edd_receipt shortcode in all versions up to, and including, 3.3.8.1 due to insufficient input sanitization and output esc...

Published
May 28, 2025
Patched Release
3.3.9
Affected Versions
Versions up to 3.3.8.1
Next Step
Update to 3.3.9 or newer if supported.
Open CVE-2025-4670 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-2252
CVE-2025-2252: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy <= 3.3.6.1 - Unauthenticated Private Post Title Disclosure

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticate...

Published
Mar 24, 2025
Patched Release
3.3.7
Affected Versions
Versions up to 3.3.6.1
Next Step
Update to 3.3.7 or newer if supported.
Open CVE-2025-2252 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13517
CVE-2024-13517: Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) <= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Title

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it...

Published
Jan 17, 2025
Patched Release
3.3.3
Affected Versions
Versions up to 3.3.2
Next Step
Update to 3.3.3 or newer if supported.
Open CVE-2024-13517 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-12875
CVE-2024-12875: Easy Digital Downloads <= 3.3.2 - Authenticated (Admin+) Arbitrary File Download

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download functionality. This makes it possible for authenticated attackers, with Administ...

Published
Dec 20, 2024
Patched Release
3.3.3
Affected Versions
Versions up to 3.3.2
Next Step
Update to 3.3.3 or newer if supported.
Open CVE-2024-12875 Report Open CVE Reference
Plugin Low Patched: Yes CVE-2024-9654
CVE-2024-9654: Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass

The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the pur...

Published
Dec 16, 2024
Patched Release
3.3.5
Affected Versions
3.1 through 3.3.4
Next Step
Update to 3.3.5 or newer if supported.
Open CVE-2024-9654 Report Open CVE Reference
Plugin High Patched: Yes CVE-2022-2439
CVE-2022-2439: Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 3.3.3 - Authenticated (Admin+) PHAR Deserialization

The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'upload[file]' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users...

Published
Sep 23, 2024
Patched Release
3.3.4
Affected Versions
Versions up to 3.3.3
Next Step
Update to 3.3.4 or newer if supported.
Open CVE-2022-2439 Report Open CVE Reference
Plugin Low Patched: Yes CVE-2024-6692
CVE-2024-6692: Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) <= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Agreement Text

The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization...

Published
Aug 09, 2024
Patched Release
3.3.3
Affected Versions
Versions up to 3.3.2
Next Step
Update to 3.3.3 or newer if supported.
Open CVE-2024-6692 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-6691
CVE-2024-6691: Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) <= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Currency Settings

The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and o...

Published
Aug 09, 2024
Patched Release
3.3.3
Affected Versions
Versions up to 3.3.2
Next Step
Update to 3.3.3 or newer if supported.
Open CVE-2024-6691 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-43162
CVE-2024-43162: Easy Digital Downloads <= 3.2.12 - Missing Authorization

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers,...

Published
Aug 07, 2024
Patched Release
3.3.1
Affected Versions
Versions up to 3.2.12
Next Step
Update to 3.3.1 or newer if supported.
Open CVE-2024-43162 Report Open CVE Reference