CVE-2025-11271: CWE-807 Reliance on Untrusted Inputs in a Security Decision in smub Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account.
AI Analysis
Technical Summary
The Easy Digital Downloads plugin for WordPress contains a vulnerability (CVE-2025-11271) where the order verification process can be bypassed if the POST body includes the parameter verification_override=1. Since this parameter is attacker-controlled and unconditionally skips verification, an unauthenticated actor can submit a forged Instant Payment Notification (IPN) that the system treats as verified. Exploitation requires the attacker to have a valid PayPal transaction ID and a customer account, limiting manipulation to their own orders. This vulnerability is categorized as CWE-807, indicating reliance on untrusted inputs in a security decision.
Potential Impact
An attacker can manipulate their own orders by bypassing the order verification process, potentially altering order status or details without proper validation. This does not affect orders placed by other users. There is no impact on confidentiality or availability, only integrity of the attacker's own order data is affected. The medium CVSS score reflects limited scope and required conditions for exploitation.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory for updates. Until a fix is released, restricting or monitoring customer account creation and PayPal transaction validation may reduce risk. Avoid relying on the verification_override parameter or disable the affected plugin version if possible.
CVE-2025-11271: CWE-807 Reliance on Untrusted Inputs in a Security Decision in smub Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Description
The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Easy Digital Downloads plugin for WordPress contains a vulnerability (CVE-2025-11271) where the order verification process can be bypassed if the POST body includes the parameter verification_override=1. Since this parameter is attacker-controlled and unconditionally skips verification, an unauthenticated actor can submit a forged Instant Payment Notification (IPN) that the system treats as verified. Exploitation requires the attacker to have a valid PayPal transaction ID and a customer account, limiting manipulation to their own orders. This vulnerability is categorized as CWE-807, indicating reliance on untrusted inputs in a security decision.
Potential Impact
An attacker can manipulate their own orders by bypassing the order verification process, potentially altering order status or details without proper validation. This does not affect orders placed by other users. There is no impact on confidentiality or availability, only integrity of the attacker's own order data is affected. The medium CVSS score reflects limited scope and required conditions for exploitation.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory for updates. Until a fix is released, restricting or monitoring customer account creation and PayPal transaction validation may reduce risk. Avoid relying on the verification_override parameter or disable the affected plugin version if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-03T21:53:31.464Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 690c27e36cabeda23dacfe93
Added to database: 11/6/2025, 4:45:23 AM
Last enriched: 4/9/2026, 3:53:13 PM
Last updated: 5/10/2026, 3:12:41 AM
Views: 193
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.