{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3124", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-24T14:05:44.981Z", "datePublished": "2026-03-30T01:24:44.783Z", "dateUpdated": "2026-03-30T01:24:44.783Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-30T01:24:44.783Z"}, "affected": [{"vendor": "wpchill", "product": "Download Monitor", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "5.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order."}], "title": "Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45527d6c-6866-44e6-85c2-5be984afbbc9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3470119/download-monitor"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hung Nguyen"}], "timeline": [{"time": "2026-02-24T14:57:52.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-29T12:42:40.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order."}], "id": "CVE-2026-3124", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-30T02:16:15.630", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3470119/download-monitor"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45527d6c-6866-44e6-85c2-5be984afbbc9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Download Monitor", "source": "cna", "vendor": "wpchill"}, "product": "download_monitor", "vendor": "wpchill"}], "analysis": {"en": {"generated_at": "2026-03-30T05:21:36.590396+00:00", "value": {"mitigation_remediation": ["Upgrade Download Monitor to a version newer than 5.1.7", "Restrict access to the executePayment endpoint so only authenticated users can invoke it", "Consult the plugin vendor\u2019s website or the WordPress repository for any additional patches or advisories"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Order Completion"}, "threat_synthesis": {"affected_systems": "The flaw affects the Download Monitor plugin from wpchill. All versions up to and including 5.1.7 are vulnerable, so any WordPress site running one of these plugin versions is at risk.", "description_and_impact": "The Download Monitor plugin for WordPress contains an insecure direct object reference flaw in the executePayment() function, allowing unauthenticated users to submit a PayPal transaction token that does not match the local order ID. By crafting a request with a forged token and order_id, an attacker can complete any pending order with minimal payment, effectively stealing paid digital goods. This vulnerability is classified as CWE\u2011639 and can result in financial loss for site owners.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates a high severity; the exploit does not require authentication or elevated privileges, making it straightforward for attackers to complete arbitrary orders. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, but its potential for remote payment fraud makes it an attractive target for malicious actors."}}}}, "created": "2026-03-30T06:57:55.020854+00:00", "updated": "2026-03-30T07:03:44.990853+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$download_monitor"]}