Stored Cross-Site Scripting in Easy Digital Downloads Plugin for WordPress
CVE-2025-4670
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 29 May 2025
What is CVE-2025-4670?
The Easy Digital Downloads plugin for WordPress is prone to a Stored Cross-Site Scripting vulnerability that impacts versions up to 3.3.8.1. This vulnerability arises from inadequate input sanitization and output escaping in the plugin's edd_receipt shortcode. Authenticated attackers with contributor-level access or higher can exploit this weakness, allowing them to inject arbitrary web scripts into user-exposed pages. When these affected pages are accessed, the injected scripts execute, posing significant risks to user data and application integrity.
Affected Version(s)
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy * <= 3.3.8.1