Plattform
wordpress
Komponente
download-monitor
Behoben in
5.1.8
CVE-2026-3124 is an Insecure Direct Object Reference vulnerability in the Download Monitor plugin for WordPress. This flaw allows unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order. This can lead to theft of paid digital goods. This affects Download Monitor versions up to and including 5.1.7. Version 5.1.8 contains a fix for this vulnerability.
The primary impact of CVE-2026-3124 is the potential for unauthorized access to paid digital goods. An attacker can exploit the IDOR vulnerability by purchasing a low-cost item and then using the resulting PayPal transaction token to complete a pending order for a more expensive item. This effectively allows the attacker to obtain the digital good without paying the full price. The blast radius is limited to users of the Download Monitor plugin, but the potential for financial loss and reputational damage is significant, particularly for businesses relying on the plugin for digital product sales. This vulnerability shares similarities with other IDOR flaws where predictable or manipulable identifiers are used without proper access controls.
CVE-2026-3124 was publicly disclosed on 2026-03-30. There are currently no known public proof-of-concept exploits available, but the vulnerability's ease of understanding suggests that one may emerge. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the vulnerability's public disclosure and relatively simple exploitation path. It is not currently listed on the CISA KEV catalog.
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-3124 is to immediately upgrade the Download Monitor plugin to version 5.1.8 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective, carefully reviewing and restricting access to the executePayment() function might offer limited protection. Thoroughly audit the plugin's code for similar vulnerabilities and ensure proper validation of all user-supplied input. After upgrading, confirm the fix by attempting to manipulate PayPal transaction tokens and verifying that the system prevents unauthorized order completion.
Aktualisieren Sie auf Version 5.1.8 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-3124 is an Insecure Direct Object Reference (IDOR) vulnerability in the Download Monitor plugin for WordPress that allows unauthenticated attackers to complete arbitrary pending orders.
You are affected if you are using Download Monitor version 5.1.7 or earlier.
Update the Download Monitor plugin to version 5.1.8 or later to resolve this vulnerability.
There are currently no public exploitation reports or proof-of-concept code available.
Refer to the National Vulnerability Database (NVD) entry for CVE-2026-3124: https://nvd.nist.gov/vuln/detail/CVE-2026-3124
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.