CVE-2025-14783
Easy Digital Downloads <= 3.6.2 - Unvalidated Redirect in Password Reset Flow via edd_redirectThe Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
We have discovered 8,335 live websites that are affected by CVE-2025-14783.
Affected Software
| Product | |
| Category | Ecommerce |
| Vulnerable Domains | 8,335 live websites (60% of Easy Digital Downloads install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 143 versions ( 97% of all versions) |
Common Weakness Enumeration
CWE-640 Weak Password Recovery Mechanism for Forgotten PasswordDetails
- Published - Dec 31, 2025
- Updated - Apr 8, 2026
Credits
- Angus Girvan (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-14783 United States | 3,742 websites |
 Iran | 713 websites |
 Germany | 648 websites |
 GB | 427 websites |
 France | 313 websites |
 Italy | 269 websites |
 Cyprus | 222 websites |
 Canada | 153 websites |
 Spain | 122 websites |
 Netherlands | 120 websites |
Website Distribution by TLD
Number of websites using CVE-2025-14783| .com | 4,809 websites |
| .org | 439 websites |
| .net | 273 websites |
| .de | 204 websites |
| .it | 180 websites |
| .co.uk | 176 websites |
| .fr | 91 websites |
| .ru | 87 websites |
| .nl | 86 websites |
| .com.au | 85 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-14783
Top websites that are affected by CVE-2025-14783. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***************.eu | Netherlands | *,*** | |
| **************.com | Canada | *,*** | |
| **********.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| ******.*********.com | United States | *,*** | |
| *************.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| **********.com |  Australia | **,*** | |
| ***********.com | United States | **,*** |
FAQ
CVE-2025-14783 is Weak Password Recovery Mechanism for Forgotten Password in Easy Digital Downloads
A total of 8,335 websites have been identified as vulnerable to CVE-2025-14783, based on global website indexing conducted by WebTechSurvey.
The Easy Digital Downloads is affected by the CVE-2025-14783 vulnerability.
Easy Digital Downloads versions up to and including 3.6.2 are vulnerable to CVE-2025-14783.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3c0fb43c-f576-412e-a144-4725356ed9a0?source=cve
- https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/users/lost-password.php#L187
- https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/blocks/views/forms/lost-password.php#L24
- https://plugins.trac.wordpress.org/changeset/3426524/easy-digital-downloads/trunk/includes/users/lost-password.php