Cross-Site Request Forgery Vulnerability in Easy Digital Downloads Plugin for WordPress
CVE-2025-8102

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Easy Digital Downloads – Ecommerce Payments And Subscriptions Made Easy
Vendor: CVE Published:; 20 August 2025

What is CVE-2025-8102?

The Easy Digital Downloads plugin for WordPress is affected by a vulnerability that allows unauthenticated attackers to carry out Cross-Site Request Forgery (CSRF) attacks. This issue arises from the lack of nonce validation in two critical functions: edd_sendwp_disconnect() and edd_sendwp_remote_install(). By exploiting this vulnerability, attackers can trick site administrators into unknowingly executing malicious actions, which could lead to the unauthorized deactivation or installation of the SendWP plugin.

Affected Version(s)

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy * <= 3.5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/easy-digital-d...

https://wordpress.org/plugins/easy-digital-downloads/#dev...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
Jul 23, 2025

Credit

wesley