CVE-2025-11271

Name of the Vulnerable Software and Affected Versions Easy Digital Downloads versions up to and including 3.5.2

Description The Easy Digital Downloads plugin for WordPress has a flaw that allows manipulation of orders. This is due to a bypass in order verification, which occurs when the verification override parameter is set to 1 in the POST body. An attacker can submit a forged IPN (Instant Payment Notification) and have it treated as verified, even if verification is normally enabled. A valid PayPal transaction id is required for this manipulation, limiting it to orders initiated by the attacker who possesses a customer account.

Recommendations Versions prior to 3.5.3 should be updated.