Unvalidated Redirect Vulnerability in Easy Digital Downloads Plugin for WordPress
CVE-2025-14783

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Easy Digital Downloads – Ecommerce Payments And Subscriptions Made Easy
Vendor
CVE Published:
31 December 2025

What is CVE-2025-14783?

The Easy Digital Downloads plugin for WordPress is susceptible to an unvalidated redirect vulnerability present in all versions up to and including 3.6.2. This weakness arises from inadequate validation of the redirect URL provided via the 'edd_redirect' parameter, enabling potential exploitation by unauthenticated attackers. If an attacker successfully deceives a user into taking a specific action, they can redirect them through a password reset email to malicious websites, posing significant security risks.

Affected Version(s)

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy * <= 3.6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/easy-digital-d...
https://plugins.trac.wordpress.org/browser/easy-digital-d...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Angus Girvan
JSON
.