{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3124", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-24T14:05:44.981Z", "datePublished": "2026-03-30T01:24:44.783Z", "dateUpdated": "2026-04-08T16:49:33.008Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:33.008Z"}, "affected": [{"vendor": "wpchill", "product": "Download Monitor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order."}], "title": "Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45527d6c-6866-44e6-85c2-5be984afbbc9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3470119/download-monitor"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hung Nguyen"}], "timeline": [{"time": "2026-02-24T14:57:52.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-29T12:42:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:55:44.775010Z", "id": "CVE-2026-3124", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:56:17.380Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3124", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:55:44.775010Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:56:06.657Z"}}], "cna": {"title": "Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id'", "credits": [{"lang": "en", "type": "finder", "value": "Hung Nguyen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "wpchill", "product": "Download Monitor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-24T14:57:52.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-29T12:42:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45527d6c-6866-44e6-85c2-5be984afbbc9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3470119/download-monitor"}], "descriptions": [{"lang": "en", "value": "The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:33.008Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3124", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:33.008Z", "dateReserved": "2026-02-24T14:05:44.981Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-30T01:24:44.783Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order."}, {"lang": "es", "value": "El plugin Download Monitor para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 5.1.7, inclusive, a trav\u00e9s de la funci\u00f3n executePayment() debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto permite que atacantes no autenticados completen pedidos pendientes arbitrarios al explotar una falta de coincidencia entre el token de transacci\u00f3n de PayPal y el pedido local, lo que permite el robo de bienes digitales pagados al pagar una cantidad m\u00ednima por un art\u00edculo de bajo costo y usar ese token de pago para finalizar un pedido de alto valor."}], "id": "CVE-2026-3124", "lastModified": "2026-04-24T16:36:24.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-30T02:16:15.630", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3470119/download-monitor"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45527d6c-6866-44e6-85c2-5be984afbbc9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Download Monitor", "source": "cna", "vendor": "wpchill"}, "product": "download_monitor", "vendor": "wpchill"}], "analysis": {"en": {"generated_at": "2026-03-30T05:21:36.590396+00:00", "value": {"mitigation_remediation": ["Upgrade Download Monitor to a version newer than 5.1.7", "Restrict access to the executePayment endpoint so only authenticated users can invoke it", "Consult the plugin vendor\u2019s website or the WordPress repository for any additional patches or advisories"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Order Completion"}, "threat_synthesis": {"affected_systems": "The flaw affects the Download Monitor plugin from wpchill. All versions up to and including 5.1.7 are vulnerable, so any WordPress site running one of these plugin versions is at risk.", "description_and_impact": "The Download Monitor plugin for WordPress contains an insecure direct object reference flaw in the executePayment() function, allowing unauthenticated users to submit a PayPal transaction token that does not match the local order ID. By crafting a request with a forged token and order_id, an attacker can complete any pending order with minimal payment, effectively stealing paid digital goods. This vulnerability is classified as CWE\u2011639 and can result in financial loss for site owners.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates a high severity; the exploit does not require authentication or elevated privileges, making it straightforward for attackers to complete arbitrary orders. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, but its potential for remote payment fraud makes it an attractive target for malicious actors."}}}}, "created": "2026-03-30T06:57:55.020854+00:00", "updated": "2026-03-30T07:03:44.990853+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$download_monitor"]}