CVE-2025-14783

MEDIUM

Easy Digital Downloads <3.6.2 - Open Redirect

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-14783. PoCs published by ZeroEthical.

AI-analyzed exploit summary This PoC demonstrates a Password Reset Poisoning vulnerability in Easy Digital Downloads (EDD) for WordPress, allowing an unauthenticated attacker to intercept password reset tokens via a malicious redirect parameter.

Description

The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.

Exploits (1)

nomisec WORKING POC 2 stars
by ZeroEthical · poc
https://github.com/ZeroEthical/CVE-2025-14783-POC

This PoC demonstrates a Password Reset Poisoning vulnerability in Easy Digital Downloads (EDD) for WordPress, allowing an unauthenticated attacker to intercept password reset tokens via a malicious redirect parameter.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Easy Digital Downloads (EDD) for WordPress <= 3.6.2
No auth needed
Prerequisites: Python 3.x · requests library · a controlled server to host the malicious redirect endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 4.3
EPSS 0.0031
EPSS Percentile 22.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-640
Status published
Products (1)
smub/Easy Digital Downloads – eCommerce Payments and Subscriptions made easy < 3.6.2
Published Dec 31, 2025
Tracked Since Feb 18, 2026