Skip to main content

Easy Digital Downloads

27 CVEs product

Monthly

CVE-2026-39503 HIGH This Week

Unauthenticated broken access control in the Easy Digital Downloads WordPress plugin (versions <= 3.6.5) allows remote attackers to invoke privileged plugin functions without authentication, leading to unauthorized modification of plugin data. The flaw stems from a missing authorization check (CWE-862) and primarily impacts integrity of the affected WordPress sites. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Easy Digital Downloads
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-4670 MEDIUM This Month

The Easy Digital Downloads - eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edd_receipt shortcode in all versions up. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Easy Digital Downloads PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-2252 MEDIUM PATCH This Month

The Easy Digital Downloads - eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

WordPress Information Disclosure Easy Digital Downloads PHP
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-13517 MEDIUM PATCH Monitor

The Easy Digital Downloads - eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including,. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Easy Digital Downloads
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2024-12875 MEDIUM PATCH This Month

The Easy Digital Downloads - eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

WordPress Path Traversal Easy Digital Downloads
NVD
CVSS 3.1
4.9
EPSS
1.0%
CVE-2024-9654 LOW PATCH Monitor

The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass WordPress Easy Digital Downloads
NVD
CVSS 3.1
3.7
EPSS
0.3%
CVE-2024-43162 HIGH This Week

Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.2.12. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Easy Digital Downloads
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-5057 CRITICAL POC Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Easy Digital Downloads allows SQL Injection.2.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Easy Digital Downloads
NVD
CVSS 3.1
9.8
EPSS
2.6%
CVE-2024-6692 LOW PATCH Monitor

The Easy Digital Downloads - Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Easy Digital Downloads
NVD
CVSS 3.1
3.1
EPSS
0.4%
CVE-2024-6691 MEDIUM PATCH This Month

The Easy Digital Downloads - Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Easy Digital Downloads
NVD
CVSS 3.1
4.0
EPSS
0.3%
CVE-2024-35629 CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads - Recent Purchases allows PHP Remote File. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure Easy Digital Downloads
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-32100 MEDIUM This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Easy Digital Downloads.2.11. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Easy Digital Downloads
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2024-31113 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads.2.11. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Easy Digital Downloads
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-31293 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads.2.6. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Easy Digital Downloads
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-2302 MEDIUM PATCH This Month

The Easy Digital Downloads - Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Information Disclosure Easy Digital Downloads
NVD
CVSS 3.1
5.3
EPSS
1.0%
CVE-2024-0659 MEDIUM PATCH This Month

The Easy Digital Downloads - Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Easy Digital Downloads
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-51684 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Easy Digital Downloads Easy Digital Downloads - Sell Digital Files (eCommerce Store & Payments. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Easy Digital Downloads
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2023-30869 CRITICAL POC PATCH Act Now

Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation Authentication Bypass Easy Digital Downloads
NVD
CVSS 3.1
9.8
EPSS
3.1%
CVE-2023-0380 MEDIUM POC This Month

The Easy Digital Downloads WordPress plugin before 3.1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Easy Digital Downloads
NVD WPScan
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-23489 CRITICAL POC THREAT Act Now

The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Easy Digital Downloads
NVD
CVSS 3.1
9.8
EPSS
11.2%
CVE-2022-3600 CRITICAL POC Act Now

The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Easy Digital Downloads
NVD WPScan
CVSS 3.1
9.8
EPSS
1.2%
CVE-2022-2387 MEDIUM POC This Month

The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Easy Digital Downloads
NVD WPScan
CVSS 3.1
4.3
EPSS
0.3%
CVE-2022-33900 HIGH PATCH This Week

PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress PHP Easy Digital Downloads
NVD
CVSS 3.1
7.2
EPSS
0.7%
CVE-2022-0707 MEDIUM POC PATCH This Month

The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF WordPress Easy Digital Downloads
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-0706 MEDIUM POC PATCH This Month

The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Easy Digital Downloads
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-39354 MEDIUM POC PATCH This Month

The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS PHP Easy Digital Downloads
NVD GitHub
CVSS 3.1
4.8
EPSS
0.9%
CVE-2019-15116 MEDIUM This Month

The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Easy Digital Downloads
NVD
CVSS 3.1
6.1
EPSS
1.0%
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated broken access control in the Easy Digital Downloads WordPress plugin (versions <= 3.6.5) allows remote attackers to invoke privileged plugin functions without authentication, leading to unauthorized modification of plugin data. The flaw stems from a missing authorization check (CWE-862) and primarily impacts integrity of the affected WordPress sites. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Easy Digital Downloads
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Easy Digital Downloads - eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edd_receipt shortcode in all versions up. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Easy Digital Downloads +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The Easy Digital Downloads - eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

WordPress Information Disclosure Easy Digital Downloads +1
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH Monitor

The Easy Digital Downloads - eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including,. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Easy Digital Downloads
NVD
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

The Easy Digital Downloads - eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

WordPress Path Traversal Easy Digital Downloads
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass WordPress Easy Digital Downloads
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.2.12. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Easy Digital Downloads
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Easy Digital Downloads allows SQL Injection.2.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Easy Digital Downloads
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

The Easy Digital Downloads - Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Easy Digital Downloads
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

The Easy Digital Downloads - Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Easy Digital Downloads
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads - Recent Purchases allows PHP Remote File. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Easy Digital Downloads.2.11. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Easy Digital Downloads
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads.2.11. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Easy Digital Downloads
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads.2.6. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Easy Digital Downloads
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

The Easy Digital Downloads - Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Information Disclosure Easy Digital Downloads
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The Easy Digital Downloads - Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Easy Digital Downloads
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Easy Digital Downloads Easy Digital Downloads - Sell Digital Files (eCommerce Store & Payments. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Easy Digital Downloads
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation Authentication Bypass Easy Digital Downloads
NVD
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The Easy Digital Downloads WordPress plugin before 3.1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Easy Digital Downloads
NVD WPScan
EPSS 11% CVSS 9.8
CRITICAL POC THREAT Act Now

The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Easy Digital Downloads
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Easy Digital Downloads
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Easy Digital Downloads
NVD WPScan
EPSS 1% CVSS 7.2
HIGH PATCH This Week

PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress PHP +1
NVD
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF WordPress Easy Digital Downloads
NVD WPScan
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Easy Digital Downloads
NVD WPScan
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS PHP +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Easy Digital Downloads
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy