Easy Digital Downloads <= 3.6.7 CSRF to Payment Account Hijacking via square_tokens (CVE-2026-7533)

Vulnerability Overview Vulnerability Name: Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter CVE ID: CVE-2026-7533 CVSS Score: 4.3 (Medium) Release Date: May 27, 2026 Last Updated: May 28, 2026 Researcher: typeSafe Affected Software Affected Software: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy Software Type: Plugin Software Slug: easy-digital-downloads Affected Versions: <= 3.6.7 Fixed Version: 3.6.8 Remediation Recommendation: Update to version 3.6.8 or later Vulnerability Description The Easy Digital Downloads plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions 3.6.7 and earlier. The vulnerability stems from the lack of nonce verification on the function, which is hooked to and processes Square OAuth tokens provided via user-supplied GET parameters without CSRF token validation. This allows attackers to overwrite the store's Square payment gateway credentials by luring a logged-in administrator into clicking a crafted link, resulting in the hijacking of the payment account. References plugins.trac.wordpress.org Additional Information Software Type: Plugin Software Slug: easy-digital-downloads Fixed: Yes Fixed Version: 3.6.8 Recent Vulnerabilities Easy Digital Downloads – eCommerce Payments and Subscriptions made easy - CVE-2026-39503: Missing Authorization - CVE-2025-14783: Unvalidated Redirect in Password Reset Flow via edd_redirect - CVE-2025-11271: Insufficient Verification to Order Manipulation - CVE-2025-8102: Cross-Site Request Forgery to Plugin Deactivation via edd_sendzip, disconnect and edd_sendzip_remote_install_functions - CVE-2025-4670: Authenticated (Contributor+) Stored Cross-Site Scripting via edd_receipt Shortcode - CVE-2025-2252: Unauthenticated Private Post Title Disclosure - CVE-2024-13517: Authenticated (Admin+) Stored Cross-Site Scripting via Title - CVE-2024-12875: Authenticated (Admin+) Arbitrary File Download - CVE-2024-9654: Improper Authorization to Paywall Bypass - CVE-2022-2439: Authenticated (Admin+) PHAR Deserialization Disclaimer This record contains copyrighted material. Copyright: © 2012-2026 Defiant Inc. License: Defiant Inc. grants a perpetual, worldwide, non-exclusive, royalty-free, irrevocable copyright license to copy, prepare derivative works, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information must include a hyperlink to this license. Contact Information For any errors or if more information is needed, please contact: info-support@wordfence.com Business Hours Working Hours: 9am-8pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Response Time: 24/7 support, 365 days a year, 1-hour response time Other Links Terms of Service Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information Social Media Twitter Facebook LinkedIn Instagram Products and Support Products: Wordfence Free, Wordfence Premium, Wordfence Care, Wordfence Response, Wordfence CLI, Wordfence Intelligence, Wordfence Central Support: Documentation, Learning Center, Free Support, Premium Support News: Blog, In The News, Vulnerability Advisories About: About Wordfence, Affiliate Program, Employment, Contact, Security, CVE Request Form Subscribe for Updates Subscribe to our news and updates to receive vulnerability data from experienced security professionals. Copyright Information © 2012-2026 Defiant Inc. All Rights Reserved Other Wordfence Intelligence Wordfence Summary Vulnerability Name: Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter CVE ID: CVE-2026-7533 CVSS Score: 4.3 (Medium) Release Date: May 27, 2026 Last Updated: May 28, 2026 Researcher: typeSafe Affected Software: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy Software Type: Plugin Software Slug: easy-digital-downloads Affected Versions: <= 3.6.7 Fixed Version: 3.6.8 Recommendation: Update to version 3.6.8 or later Vulnerability Description: The Easy Digital Downloads plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions 3.6.7 and earlier. The vulnerability stems from the lack of nonce verification on the function, which is hooked to and processes Square OAuth tokens provided via user-supplied GET parameters without CSRF token validation. This allows attackers to overwrite the store's Square payment gateway credentials by luring a logged-in administrator into clicking a crafted link, resulting in the hijacking of the payment account. References: plugins.trac.wordpress.org Recent Vulnerabilities: - CVE-2026-39503: Missing Authorization - CVE-2025-14783: Unvalidated Redirect in Password Reset Flow via edd_redirect - CVE-2025-11271: Insufficient Verification to Order Manipulation - CVE-2025-8102: Cross-Site Req

Goal Reached Thanks to every supporter — we hit 100%!

Easy Digital Downloads <= 3.6.7 CSRF to Payment Account Hijacking via square_tokens (CVE-2026-7533)

More from this source