Medium severity4.3NVD Advisory· Published May 28, 2026· Updated May 28, 2026
CVE-2026-7533
CVE-2026-7533
Description
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the handle_oauth_redirect() function, which is registered on the admin_init hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=3.6.7+ 1 more
- (no CPE)range: <=3.6.7
- (no CPE)range: <=3.6.7
Patches
Vulnerability mechanics
References
8- plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.phpnvd
- plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.phpnvd
- plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Gateway.phpnvd
- plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.phpnvd
- plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.phpnvd
- plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Gateway.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/e375f761-459c-4cad-823b-2a94ac901410nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)Wordfence Blog · Jun 4, 2026