CVE-2026-7533
Description
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the handle_oauth_redirect() function, which is registered on the admin_init hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Easy Digital Downloads <=3.6.7 has a CSRF vulnerability in `handle_oauth_redirect()` allowing attackers to hijack Square payment credentials by tricking an admin.
Vulnerability
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 3.6.7. The issue exists in the handle_oauth_redirect() function located in src/Gateways/Square/Connection.php [1][2][3][4]. This function processes Square OAuth tokens from a user-supplied GET parameter (square_tokens) without any nonce or CSRF token validation, making it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials.
Exploitation
An attacker can craft a malicious link or webpage that triggers the handle_oauth_redirect() function with a crafted square_tokens parameter. The attacker must trick a logged-in administrator into clicking the crafted link while they are authenticated in the WordPress admin area. No other authentication or user interaction is required beyond the click. The attacker does not need any special privileges.
Impact
Upon successful exploitation, the attacker can overwrite the store's Square payment gateway credentials, including access tokens, refresh tokens, and client ID. This effectively hijacks the payment account, allowing the attacker to receive payments intended for the store, view transaction data, or perform other actions on the Square account. The compromise results in a direct financial and data integrity impact.
Mitigation
The vendor has released a patched version; users should update to version 3.6.8 or later. For users unable to update immediately, a workaround is to restrict access to the Square integration settings and ensure administrators are aware of CSRF risks. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.
- https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L58
- https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L47
- https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L47
- https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L58
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=3.6.7+ 1 more
- (no CPE)range: <=3.6.7
- (no CPE)range: <=3.6.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing nonce verification in the `handle_oauth_redirect()` function allows CSRF-based overwrite of Square payment gateway credentials."
Attack vector
An unauthenticated attacker crafts a link that, when visited by a logged-in WordPress administrator, triggers the `admin_init` action and invokes `handle_oauth_redirect()` [ref_id=1][ref_id=2]. Because the function lacks nonce verification, the attacker can supply arbitrary Square OAuth credentials via GET parameters, overwriting the store's Square payment gateway credentials. This results in payment account hijacking, where the attacker's Square account replaces the legitimate store's payment processing credentials.
Affected code
The vulnerability resides in the `capture_oauth_tokens()` method of `src/Gateways/Square/Gateway.php`, which is registered on the `admin_init` hook and calls `$this->get_connection()->handle_oauth_redirect()` [ref_id=1][ref_id=2]. The `handle_oauth_redirect()` function processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation.
What the fix does
The bundle does not include a patch diff. The advisory states that the vulnerability exists because the `handle_oauth_redirect()` function, called via `capture_oauth_tokens()` on the `admin_init` hook, processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation [ref_id=1][ref_id=2]. To remediate, a nonce check must be added before processing the OAuth redirect to ensure the request originated from an authenticated administrator session.
Preconditions
- authA logged-in WordPress administrator must be tricked into clicking a crafted link
- inputThe attacker must craft a URL containing Square OAuth token parameters
- networkThe attacker must have network access to deliver the crafted link to the administrator
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.phpnvd
- plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.phpnvd
- plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Gateway.phpnvd
- plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.phpnvd
- plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.phpnvd
- plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Gateway.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/e375f761-459c-4cad-823b-2a94ac901410nvd
News mentions
0No linked articles in our index yet.