CVE-2025-4670 is a stored cross-site scripting vulnerability identified in the Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress, affecting all versions up to and including 3.3.8.1. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically within the plugin's edd_receipt shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, requiring low attack complexity and only privileges equivalent to contributor access; no user interaction is necessary for exploitation. The scope is changed, as the vulnerability affects other users beyond the attacker. No public exploits have been reported yet. This vulnerability is significant because Easy Digital Downloads is a popular WordPress plugin used by many e-commerce sites for managing payments and subscriptions, making affected sites attractive targets for attackers seeking to compromise customer data or site integrity.

The impact of CVE-2025-4670 is primarily on the confidentiality and integrity of affected websites and their users. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to theft of session cookies, user credentials, or other sensitive information. This can result in account takeover, unauthorized transactions, or defacement of the website. Since the vulnerability requires contributor-level access, attackers who have compromised or gained such access can leverage this flaw to escalate their privileges or persist within the environment. For organizations, this can lead to reputational damage, loss of customer trust, regulatory penalties, and financial losses, especially in e-commerce contexts where payment and subscription data are involved. The vulnerability does not directly affect availability but can indirectly cause service disruption through malicious actions. Given the widespread use of WordPress and the Easy Digital Downloads plugin, the potential attack surface is large, affecting organizations globally that rely on this plugin for their online commerce operations.

Organizations should immediately review user roles and restrict contributor-level access to trusted personnel only, minimizing the risk of malicious script injection. Until an official patch is released, consider disabling or removing the edd_receipt shortcode functionality if feasible. Deploy web application firewalls (WAFs) with robust XSS detection and blocking capabilities to intercept and neutralize malicious payloads targeting this vulnerability. Implement strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly audit plugin versions and update Easy Digital Downloads to the latest patched release as soon as it becomes available. Conduct security awareness training for administrators and content contributors to recognize and prevent injection of malicious content. Additionally, monitor logs for unusual activity related to shortcode usage or unexpected script injections. Employ security plugins that perform input validation and output escaping to add layers of defense against XSS attacks.