vulnerability
WordPress Plugin: easy-digital-downloads: CVE-2023-30869: Unverified Password Change
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | May 2, 2023 | May 15, 2025 | Apr 30, 2026 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
May 2, 2023
Added
May 15, 2025
Modified
Apr 30, 2026
Description
The Easy Digital Downloads plugin for WordPress is vulnerable to Unauthenticated Arbitrary Password Resets to Privilege Escalation in versions 3.1 to 3.1.1.4.1. This is due to a lack of validation of a password reset key in the edd_validate_password_reset function. This makes it possible for unauthenticated attackers to reset the password of any user on a vulnerable site, including an administrator, if they have the email or username of the targeted account.
Solution
easy-digital-downloads-plugin-cve-2023-30869
References
- https://www.cve.org/CVERecord?id=CVE-2023-30869
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8e3e07c8-8fd0-4966-8276-aece794b75b2?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-35209
- CVE-2023-30869
- https://attackerkb.com/topics/CVE-2023-30869
- CWE-287
- EUVD-EUVD-2023-35209
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.