Order Manipulation Vulnerability in Easy Digital Downloads Plugin by WordPress
CVE-2025-11271

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Easy Digital Downloads – Ecommerce Payments And Subscriptions Made Easy
Vendor: CVE Published:; 6 November 2025

What is CVE-2025-11271?

The Easy Digital Downloads plugin for WordPress contains a significant order manipulation vulnerability due to an order verification bypass. This issue arises in all versions up to and including 3.5.2, where the order verification process is compromised when an attacker supplies the parameter 'verification_override=1' in the POST body. As a result, unauthenticated actors can submit forged Instant Payment Notifications (IPNs) that are erroneously validated, even on production sites where verification is typically enforced. While this manipulation is constrained to the orders that the attacker has previously placed, it poses a serious risk, enabling the possibility of fraudulent activities within the system.

Affected Version(s)

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy * <= 3.5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/awesomemotive/easy-digital-downloads/b...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2025
Vulnerability Reserved
Oct 3, 2025

Credit

Jamie Davies

JSON