CVE-2026-39503

Vulnerability

An unauthenticated broken access control vulnerability exists in the Easy Digital Downloads plugin for WordPress versions up to and including 3.6.5. The issue arises from missing authorization or nonce checks in certain functions, allowing requests to be processed without proper authentication. No specific configuration is required for the vulnerable code path to be reachable [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the WordPress site without any prior authentication. No user interaction is required. The attacker does not need any special network position or write access; the vulnerability is remotely exploitable over the internet [1].

Impact

Successful exploitation could allow an attacker to perform actions that should be restricted to higher-privileged users, such as modifying settings or accessing sensitive data. This can lead to unauthorized disclosure of information or alteration of site content, with a potential impact on confidentiality and integrity. The CVSS score assigned is 7.5, indicating a high severity [1].

Mitigation

The vulnerability has been addressed in version 3.6.6 of the plugin. Users are strongly advised to update to this version or later immediately. Patchstack users can enable auto-updates for vulnerable plugins as a workaround. No other workarounds have been disclosed in the available references [1].