Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network-reachable WordPress endpoint missing an authorization check (PR:N, AV:N, AC:L, UI:N); integrity-only impact per CWE-862 broken access control, no confidentiality or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Easy Digital Downloads <= 3.6.5 versions.
AnalysisAI
Unauthenticated broken access control in the Easy Digital Downloads WordPress plugin (versions <= 3.6.5) allows remote attackers to invoke privileged plugin functions without authentication, leading to unauthorized modification of plugin data. The flaw stems from a missing authorization check (CWE-862) and primarily impacts integrity of the affected WordPress sites. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Easy Digital Downloads (EDD) is a popular AwesomeMotive WordPress plugin used to sell digital goods (software, e-books, music) on self-hosted WordPress sites, identified by CPE cpe:2.3:a:awesomemotive:easy_digital_downloads. The vulnerability is classified as CWE-862 (Missing Authorization), meaning a sensitive plugin action or endpoint executes without verifying the caller's permissions or capability (e.g., a wp-admin-ajax handler, REST route, or admin-post hook lacking a current_user_can() or nonce check). Because WordPress plugins commonly expose actions via admin-ajax.php and the REST API, missing authorization on such handlers turns them into network-reachable, unauthenticated entry points against any site running the vulnerable version.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should consult the Patchstack page at https://patchstack.com/database/wordpress/plugin/easy-digital-downloads/vulnerability/wordpress-easy-digital-downloads-plugin-3-6-5-broken-access-control-vulnerability and the WordPress.org plugin page to install the next release above 3.6.5 as soon as it is published. Until the site is upgraded, restrict access to /wp-admin/admin-ajax.php and the EDD REST namespace (/wp-json/edd-api/ and /wp-json/edd/) from untrusted networks via the web server or a WAF, or temporarily deactivate the plugin on stores that can tolerate downtime - noting that blocking admin-ajax.php breaks legitimate front-end AJAX features (cart, checkout, login forms) and that deactivation will take the storefront offline. If using Patchstack, Wordfence, or a comparable virtual-patching service, enable the corresponding vPatch/rule for CVE-2026-39503 as an interim compensating control.
More in Easy Digital Downloads
View allImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Easy Digital Downl
Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Rated critical severity (CVSS 9.8)
The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection
The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which c
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in
The Easy Digital Downloads WordPress plugin before 3.1.0.5 does not validate and escape some of its block options before
Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Se
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the
The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end
The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history,
The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes
PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. Rated high severity (CVSS 7.2
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36948
GHSA-2pxh-c3p8-9w89