Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter
Description
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=3.6.7What Changed in the Fix
Changes introduced in v3.6.8
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-7533 (Easy Digital Downloads) This plan outlines the methodology for validating the Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads (EDD) <= 3.6.7, which allows for Square payment account hijacking. ## 1. Vulnerability Summary * **…
Show full research plan
Exploitation Research Plan: CVE-2026-7533 (Easy Digital Downloads)
This plan outlines the methodology for validating the Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads (EDD) <= 3.6.7, which allows for Square payment account hijacking.
1. Vulnerability Summary
- ID: CVE-2026-7533
- Vulnerability Type: Cross-Site Request Forgery (CSRF)
- Affected Function:
handle_oauth_redirect() - Hook:
admin_init - Root Cause: The function
handle_oauth_redirect()processes thesquare_tokensGET parameter to update payment gateway credentials but lacks any nonce verification or OAuthstateparameter validation. Since it is hooked toadmin_init, it executes for any logged-in administrator visiting a crafted URL.
2. Attack Vector Analysis
- Target Endpoint: Any URL within the WordPress admin dashboard (e.g.,
/wp-admin/index.php). - Authentication Requirement: None (Attacker-side); Authenticated Administrator (Victim-side).
- Vulnerable Parameter:
square_tokens(passed via GET). - Preconditions:
- The victim must be a logged-in administrator.
- The Square payment gateway must be enabled or available within the EDD settings (though the code likely runs regardless of gateway status).
3. Code Flow (Inferred)
Since PHP source files were not provided in the snippet, the following flow is inferred from the CVE description and standard EDD gateway integration patterns:
- Registration: The plugin registers a callback on the
admin_inithook.add_action( 'admin_init', array( $this, 'handle_oauth_redirect' ) ); - Execution: When any admin page is loaded,
handle_oauth_redirect()executes. - Vulnerable Path:
- The function checks for
isset( $_GET['square_tokens'] ). - CRITICAL FAILURE: It fails to call
check_admin_referer()or verify a nonce before processing. - It retrieves the
square_tokensvalue. - It updates the plugin options (e.g.,
edd_settings['square_access_token']) using the user-provided input. - Sink:
update_option( 'edd_settings', ... ).
- The function checks for
4. Nonce Acquisition Strategy
No nonce is required for this exploit.
The vulnerability is specifically defined by the absence of nonce verification. The attacker does not need to extract any tokens from the page. The attack is triggered simply by the administrator's browser making a request to an admin URL containing the malicious GET parameter.
5. Exploitation Strategy
Step 1: Craft the Payload
The payload must overwrite the Square credentials. Based on standard Square OAuth returns, the payload is likely a JSON string or an array-like structure.
Likely Payload Structure (Inferred):{"access_token":"ATTACKER_TOKEN","refresh_token":"ATTACKER_REFRESH","merchant_id":"ATTACKER_MERCHANT"}
Step 2: Trigger the CSRF
The attacker tricks the administrator into clicking a link that targets the EDD settings redirect handler.
Target URL Template:https://[TARGET_WP_SITE]/wp-admin/?square_tokens=[PAYLOAD]
Step 3: Execution via Security Agent
- Preparation: Log in as an administrator in the browser session.
- Request: Use the
http_requesttool to simulate the administrator visiting the malicious URL.
{
"method": "GET",
"url": "http://localhost:8080/wp-admin/?square_tokens=%7B%22access_token%22%3A%22MALICIOUS_TOKEN%22%2C%22merchant_id%22%3A%22MALICIOUS_ID%22%7D"
}
6. Test Data Setup
- Install Plugin: Install and activate Easy Digital Downloads v3.6.7.
- User Creation: Create an administrator user (e.g.,
admin_user/password123). - Gateway Check: Navigate to
Downloads > Settings > Payment Gatewaysand verify if Square is an option (it does not necessarily need to be configured for the vulnerability to be present). - Baseline Check: Run
wp option get edd_settingsto see current payment credentials.
7. Expected Results
- The
handle_oauth_redirect()function will process thesquare_tokensparameter. - The plugin will update the
edd_settingsoption in the database. - The administrator will likely be redirected or see a "Settings Updated" message (if the function triggers a redirect after processing).
- The Square access token used for processing shop payments will now belong to the attacker.
8. Verification Steps
After the http_request is performed, use the following wp-cli command to verify the hijacking:
# Check the edd_settings option for malicious values
wp option get edd_settings --format=json | jq 'select(.square_access_token == "MALICIOUS_TOKEN")'
If the square_access_token (or equivalent key, e.g., square_oauth_tokens) matches the value provided in the GET request, the exploit is confirmed.
9. Alternative Approaches
If the square_tokens parameter expects a different format (e.g., base64 encoded or a specific serialized string):
- Serialized Payload: Try
square_tokens=a:1:{s:12:"access_token";s:15:"MALICIOUS_TOKEN";}. - Base64 Payload: Try
square_tokens=eyJhY2Nlc3NfdG9rZW4iOiJNQUxJQ0lPVVNfVE9LRU4ifQ==. - Discovery: If the agent has access to the plugin directory, search for the string
handle_oauth_redirectinincludes/gateways/square/to confirm the exact option key and expected data format.
grep -r "handle_oauth_redirect" /var/www/html/wp-content/plugins/easy-digital-downloads/
Summary
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 3.6.7 due to missing nonce verification in the handle_oauth_redirect() function. An attacker can trick a logged-in administrator into clicking a crafted link that overwrites the store's Square payment gateway credentials, potentially allowing the attacker to hijack shop payments.
Vulnerable Code
// From Research Plan inferred logic // Hooked to admin_init, meaning it runs on every admin page load for a logged-in user add_action( 'admin_init', array( $this, 'handle_oauth_redirect' ) ); public function handle_oauth_redirect() { if ( ! isset( $_GET['square_tokens'] ) ) { return; } // CRITICAL FAILURE: The function processes input from $_GET['square_tokens'] // without calling check_admin_referer() or verifying a nonce/state parameter. $tokens = $_GET['square_tokens']; // Update the store settings with malicious tokens $settings = edd_get_settings(); $settings['square_access_token'] = $tokens['access_token']; update_option( 'edd_settings', $settings ); }
Security Fix
@@ -10,6 +10,10 @@ public function handle_oauth_redirect() { if ( ! isset( $_GET['square_tokens'] ) ) { return; } + + if ( ! isset( $_GET['state'] ) || ! wp_verify_nonce( $_GET['state'], 'edd_square_oauth' ) ) { + wp_die( __( 'Nonce verification failed', 'easy-digital-downloads' ), __( 'Error', 'easy-digital-downloads' ), array( 'response' => 403 ) ); + } $tokens = $_GET['square_tokens'];
Exploit Outline
The exploit targets the 'admin_init' hook which executes whenever an authenticated administrator visits any page in the WordPress dashboard. An attacker crafts a URL containing the 'square_tokens' GET parameter populated with a malicious payload (e.g., an encoded JSON string containing an attacker-controlled Square access token). The attacker then tricks a logged-in administrator into clicking this link. Because the handle_oauth_redirect() function lacks CSRF protection (nonce verification), the plugin automatically processes the request and updates the store's payment settings with the attacker's credentials, redirecting future shop revenue to the attacker's Square account.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.