Last night a crucial security flaw was discovered in the checkout process of Easy Digital Downloads and fixed immediately. Version 220.127.116.11 was pushed out and takes care of the issue. Please update immediately if you are on less than 18.104.22.168.
Due to the nature of the flaw, I cannot go into detail about exactly what the flaw was or how it could be exploited, but it had to do with user accounts and it was severe. The flaw permitted an experienced user who knew exactly what they were doing (and knew how to exploit the issue) to potentially gain admin access to sites running specific versions of EDD with specific configurations.
EDD versions affected: 1.4.2 – 22.214.171.124.
Version 126.96.36.199 fixes the problem
The flaw was discovered by Adam of Mint Themes, who, thankfully, reported it immediately, allowing us to send out a patch within 30 minutes of the discovery.