Download Monitor < 5.1.8 – Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id' | CVE 2026-3124 | Plugin Vulnerabilities

Description

The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.

Affects Plugins

download-monitor

Fixed in 5.1.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/45527d6c-6866-44e6-85c2-5be984afbbc9

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Hung Nguyen (bashu)

Verified

No

WPVDB ID

d3c33f20-69ed-47ef-a19a-029a428632b7

Timeline

Publicly Published

2026-03-29 (about 2 months ago)

Added

2026-03-29 (about 2 months ago)

Last Updated

2026-03-30 (about 2 months ago)

Other

Published

Title

Published

2025-10-21

Title

Flexible Refund and Return Order for WooCommerce < 1.0.39 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund

Published

2026-03-14

Title

NEX-Forms – Ultimate Forms Plugin for WordPress < 9.1.10 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id

Published

2023-05-12

Title

RegistrationMagic < 5.2.1.0 - Admin+ Arbitrary Password Update via IDOR

Published

2026-01-27

Title

Document Embedder < 2.0.5 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion

Published

2025-12-02

Title

Projectopia <= 5.1.22 - Authenticated (Custom+) Insecure Direct Object Reference