MEDIUM 4.3

CVE-2026-7533: Easy Digital Downloads CSRF Vulnerability Allows Payment Account Hijacking

The Easy Digital Downloads plugin for WordPress contains a security flaw that allows attackers to hijack a store's Square payment processing account. An attacker can send a malicious link to a WordPress administrator; if clicked while logged in, the link silently changes the store's Square payment credentials to attacker-controlled ones, redirecting future payments to the attacker. The vulnerability exists because the plugin does not verify that payment configuration requests come from legitimate, authorized actions—a standard web security practice called CSRF protection.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-352
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-7533 is a Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads versions up to 3.6.7. The `handle_oauth_redirect()` function, hooked into `admin_init`, processes Square OAuth tokens from GET parameters without validating a nonce token. An unauthenticated attacker crafts a URL containing a malicious OAuth code and tricks an authenticated administrator into visiting it (e.g., via phishing email or forum post). When the admin's browser makes the request, the plugin accepts it as valid, overwrites the stored Square credentials, and the attacker gains control of the payment flow.

Business impact

A compromised Square integration directly threatens payment processing integrity and customer trust. Attackers can redirect transaction proceeds to external accounts, potentially for extended periods before detection. This creates immediate financial loss, customer payment data exposure risk, and significant operational disruption while the legitimate store owner regains access. Reputational damage and potential PCI compliance violations compound the impact. The attack requires only social engineering of a single administrator, making it a practical threat even for security-conscious organizations.

Affected systems

Easy Digital Downloads plugin for WordPress, all versions up to and including 3.6.7. Any WordPress site running this plugin with the Square payment gateway configured is vulnerable if administrators are active on the site and could be targeted via phishing or malicious links.

Exploitability

Exploitability is moderate but practical. The attack requires tricking an authenticated administrator to click a malicious link—a social engineering task, but one that succeeds reliably against busy users. No special access, authentication, or complex technical steps are needed on the attacker's side. The CVSS score of 4.3 (Medium) reflects the requirement for user interaction (the administrator must click the link) and the fact that the attack does not directly exfiltrate data or cause service availability loss. However, the *consequence* of account hijacking is severe, so the practical risk exceeds the numerical score.

Remediation

Update Easy Digital Downloads to a patched version that includes nonce verification in the `handle_oauth_redirect()` function. Verify the patch version against the official Easy Digital Downloads security advisory. Additionally, audit current Square OAuth credentials and recent payment transactions to detect unauthorized changes. Implement IP allowlisting or secondary authentication for payment gateway configuration changes where possible.

Patch guidance

Administrators should check the Easy Digital Downloads official plugin page and security advisories for the specific version that addresses this CSRF flaw. Apply the update immediately after verifying it addresses CVE-2026-7533. Review release notes to confirm nonce verification was added to the OAuth redirect handler. Test Square payment processing in a staging environment before deploying to production.

Detection guidance

Monitor for suspicious admin requests via access logs, focusing on requests to `admin_init` or payment gateway configuration endpoints with unusual GET parameters, especially those containing OAuth tokens from unexpected sources. Audit WordPress user activity logs for unauthorized changes to Square payment credentials. Check for recent changes to the `wp_options` table where payment gateway settings are stored (look for timestamps outside normal maintenance windows). Security plugins with CSRF monitoring may alert on exploitation attempts.

Why prioritize this

Although the CVSS score is Medium (4.3), the practical risk is elevated because the vulnerability allows an attacker to hijack payment processing without technical sophistication. Any Easy Digital Downloads site accepting payments via Square should prioritize this patch. The attack surface is broad—any administrator on the site is a potential target—and the financial impact is direct and immediate. This should be treated as high-priority despite the moderate numerical severity rating.

Risk score, explained

The CVSS:3.1 score of 4.3 reflects low attack complexity (requires only a crafted link), no authentication needed from the attacker side, and the requirement for user interaction (a click). Impact is limited in scope to integrity of the payment configuration (CVSS rates this as 'Low' for indirect confidentiality/availability effects), but the *real-world consequence*—account hijacking leading to payment diversion—justifies urgent patching despite the score.

Frequently asked questions

Do I need to be authenticated as an administrator for this attack to work?

No. The attacker does not need credentials. However, the *target* (a legitimate administrator) must be logged into WordPress when they click the malicious link. The vulnerability is in how the plugin trusts the request once an admin is authenticated, without verifying the request came from a legitimate action.

Could this be exploited to steal customer payment data directly?

This vulnerability does not directly exfiltrate customer payment card data. Instead, it redirects the payment configuration, potentially sending customer data and funds to an attacker-controlled Square account. This is a redirect/hijacking attack, not a data breach attack, though the downstream impact on customer data is severe.

Does a patched WordPress core or security plugin protect against this?

No. This is a flaw in the Easy Digital Downloads plugin itself, not WordPress core. While general CSRF protection plugins help, the definitive fix is updating Easy Digital Downloads to a version that adds nonce verification to the vulnerable function.

What should I do if I suspect this vulnerability has been exploited?

Immediately check your Square payment settings and recent transaction logs. Contact Square support to verify account integrity and review transaction history. Change all WordPress administrator passwords, audit login logs for unauthorized access, and inspect the Easy Digital Downloads activity logs (if enabled) for anomalous payment configuration changes. Consider engaging a security consultant to perform a full audit.

This analysis is based on publicly disclosed vulnerability information as of June 2026. Patch version numbers and specific release dates should be verified directly with the Easy Digital Downloads security advisory and vendor communications. This explainer does not constitute professional security advice. Organizations should conduct their own risk assessment and testing before deploying patches. No exploit code or weaponized proof-of-concept details are provided; this summary is for defensive awareness and remediation planning only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).