Skip to main content

Easy Digital Downloads CVE-2026-39503

| EUVDEUVD-2026-36948 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-2pxh-c3p8-9w89
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress endpoint missing an authorization check (PR:N, AV:N, AC:L, UI:N); integrity-only impact per CWE-862 broken access control, no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:24 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Easy Digital Downloads <= 3.6.5 versions.

AnalysisAI

Unauthenticated broken access control in the Easy Digital Downloads WordPress plugin (versions <= 3.6.5) allows remote attackers to invoke privileged plugin functions without authentication, leading to unauthorized modification of plugin data. The flaw stems from a missing authorization check (CWE-862) and primarily impacts integrity of the affected WordPress sites. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Easy Digital Downloads (EDD) is a popular AwesomeMotive WordPress plugin used to sell digital goods (software, e-books, music) on self-hosted WordPress sites, identified by CPE cpe:2.3:a:awesomemotive:easy_digital_downloads. The vulnerability is classified as CWE-862 (Missing Authorization), meaning a sensitive plugin action or endpoint executes without verifying the caller's permissions or capability (e.g., a wp-admin-ajax handler, REST route, or admin-post hook lacking a current_user_can() or nonce check). Because WordPress plugins commonly expose actions via admin-ajax.php and the REST API, missing authorization on such handlers turns them into network-reachable, unauthenticated entry points against any site running the vulnerable version.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should consult the Patchstack page at https://patchstack.com/database/wordpress/plugin/easy-digital-downloads/vulnerability/wordpress-easy-digital-downloads-plugin-3-6-5-broken-access-control-vulnerability and the WordPress.org plugin page to install the next release above 3.6.5 as soon as it is published. Until the site is upgraded, restrict access to /wp-admin/admin-ajax.php and the EDD REST namespace (/wp-json/edd-api/ and /wp-json/edd/) from untrusted networks via the web server or a WAF, or temporarily deactivate the plugin on stores that can tolerate downtime - noting that blocking admin-ajax.php breaks legitimate front-end AJAX features (cart, checkout, login forms) and that deactivation will take the storefront offline. If using Patchstack, Wordfence, or a comparable virtual-patching service, enable the corresponding vPatch/rule for CVE-2026-39503 as an interim compensating control.

CVE-2024-5057 CRITICAL POC
9.8 Aug 29

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Easy Digital Downl

CVE-2023-30869 CRITICAL POC
9.8 May 02

Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Rated critical severity (CVSS 9.8)

CVE-2023-23489 CRITICAL POC
9.8 Jan 20

The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection

CVE-2022-3600 CRITICAL POC
9.8 Nov 21

The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which c

CVE-2024-35629 CRITICAL
9.8 Jun 04

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in

CVE-2023-0380 MEDIUM POC
5.4 Feb 21

The Easy Digital Downloads WordPress plugin before 3.1.0.5 does not validate and escape some of its block options before

CVE-2024-43162 HIGH
8.8 Nov 01

Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Se

CVE-2022-0706 MEDIUM POC
4.8 Apr 18

The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the

CVE-2021-39354 MEDIUM POC
4.8 Oct 21

The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end

CVE-2022-2387 MEDIUM POC
4.3 Nov 07

The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history,

CVE-2022-0707 MEDIUM POC
4.3 Apr 18

The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes

CVE-2022-33900 HIGH
7.2 Aug 22

PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. Rated high severity (CVSS 7.2

Share

CVE-2026-39503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy