CVE-2026-3124
Received Received - Intake
IDOR Vulnerability in Download Monitor Plugin Enables Order Theft

Publication date: 2026-03-30

Last updated on: 2026-03-30

Assigner: Wordfence

Description
The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3124
EUVD
EUVD-2026-17052
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpdownloadmonitor download_monitor to 5.1.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3124 is a security vulnerability in the Download Monitor plugin for WordPress, specifically affecting versions up to and including 5.1.7. It is an Insecure Direct Object Reference (IDOR) issue in the executePayment() function caused by missing validation on a user-controlled key.

This flaw allows unauthenticated attackers to exploit a mismatch between the PayPal transaction token and the local order, enabling them to complete arbitrary pending orders. Essentially, an attacker can pay a minimal amount for a low-cost item and then use that payment token to finalize a high-value order, effectively stealing paid digital goods.

The vulnerability was fixed in version 5.1.8 by implementing strict validation of order hashes and payment tokens, safe handling of payment capture failures, and ensuring only valid transactions complete orders.

Impact Analysis

This vulnerability can lead to financial loss and unauthorized access to paid digital goods. Attackers can exploit the flaw to pay a small amount for a low-cost item and then use the associated payment token to complete orders for high-value items without proper payment.

As a result, you could lose revenue due to theft of digital products, and your customers' trust may be damaged if unauthorized transactions occur.

Detection Guidance

Detection of this vulnerability involves identifying if the Download Monitor WordPress plugin is installed and running a vulnerable version (up to and including 5.1.7). Since the vulnerability is related to the PayPal payment gateway integration and involves manipulation of order hashes and payment tokens, monitoring for unusual or unauthorized order completions or payment token mismatches could indicate exploitation attempts.

You can check the plugin version on your WordPress installation by running the following command in the WordPress root directory:

  • wp plugin list | grep download-monitor

To detect suspicious activity related to this vulnerability, you might review web server or application logs for unusual requests to the executePayment() function or attempts to finalize orders with mismatched PayPal tokens.

Example command to search for suspicious requests in web server logs (assuming Apache logs):

  • grep -i 'executePayment' /var/log/apache2/access.log

Additionally, monitoring for unexpected order completions or payment token reuse in the plugin's database tables could help detect exploitation attempts, but specific commands for this depend on your database setup and are not detailed in the provided resources.

Mitigation Strategies

The primary immediate mitigation step is to update the Download Monitor WordPress plugin to version 5.1.8 or later, where the vulnerability has been fixed.

  • Update the plugin via the WordPress admin dashboard or by running the command: wp plugin update download-monitor

The update includes strict validation of order hashes and PayPal payment tokens, safe handling of payment capture failures, and ensures only valid transactions complete orders, effectively mitigating the vulnerability.

If immediate updating is not possible, consider temporarily disabling the PayPal payment gateway integration in the Download Monitor plugin to prevent exploitation.

Also, monitor your orders and payment transactions for suspicious activity until the update can be applied.

Compliance Impact

The vulnerability in the Download Monitor plugin allows unauthenticated attackers to manipulate payment transactions and complete arbitrary pending orders, potentially leading to theft of paid digital goods.

Such unauthorized access and manipulation of payment data could lead to violations of financial data integrity and security requirements found in common standards and regulations like GDPR and HIPAA, which mandate protection of personal and payment information against unauthorized access and fraud.

By enabling attackers to finalize high-value orders with minimal payment, the vulnerability risks financial fraud and data misuse, which could result in non-compliance with these regulations' requirements for data protection, transaction integrity, and fraud prevention.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3124. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart