Easy Digital Downloads Plugin Vulnerability - CVE-2025-4670

Another day, another vulnerability.

Yesterday, on May 28, 2025, the Easy Digital Downloads plugin got flagged for a vulnerability at WordFence.

One day later, we have it also confirmed at CVE.

In a nutshell, all versions of the EDD plugin before 3.3.9 have the Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability.

Please update to EDD 3.3.9

Unless you update, and you have registrations on your website enabled(including when someone creates an account while purchasing from your website), anyone with at least the subscriber access(also customer, editor, author...) can freely upload malicious scripts that are executed every time someone visits the infected page(s).

If you need help, feel free to get in touch.