CVE-2026-7533 smub CVE debrief

Who should care

WordPress site administrators using Easy Digital Downloads with Square payment processing; e-commerce security teams; payment compliance auditors

Technical summary

The Easy Digital Downloads plugin for WordPress contains a CSRF vulnerability in its Square payment gateway integration. The `handle_oauth_redirect()` function, hooked to `admin_init`, accepts OAuth tokens from GET parameters without validating a nonce token. An unauthenticated attacker can craft a malicious URL containing attacker-controlled Square OAuth credentials. When a logged-in administrator clicks this link, the plugin saves the attacker's credentials as the store's Square payment gateway configuration, redirecting payments to the attacker-controlled account. The vulnerability requires user interaction (administrator clicking a link) but no authentication bypass, as the `admin_init` hook executes for authenticated admin sessions.

Defensive priority

medium

Recommended defensive actions

• Upgrade Easy Digital Downloads to version 3.6.8 or later
• Implement additional admin-level access controls for payment gateway configuration changes
• Consider Web Application Firewall rules to detect suspicious OAuth redirect patterns
• Review Square payment gateway settings for unauthorized modifications if running affected versions

Evidence notes

The vulnerability was reported to Wordfence and affects all versions up to and including 3.6.7. Source code references confirm the `handle_oauth_redirect()` function is registered on `admin_init` and lacks CSRF token validation when processing Square OAuth tokens from GET parameters. A changeset reference indicates a patch was committed to the plugin repository.

Official resources