CVE-2026-3124 - Vulnerability Details

- Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id'

Description

The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.

Published: 2026-03-30

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Download Monitor plugin for WordPress contains an insecure direct object reference flaw in the executePayment() function, allowing unauthenticated users to submit a PayPal transaction token that does not match the local order ID. By crafting a request with a forged token and order_id, an attacker can complete any pending order with minimal payment, effectively stealing paid digital goods. This vulnerability is classified as CWE‑639 and can result in financial loss for site owners.

Affected Systems

The flaw affects the Download Monitor plugin from wpchill. All versions up to and including 5.1.7 are vulnerable, so any WordPress site running one of these plugin versions is at risk.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high severity; the exploit does not require authentication or elevated privileges, making it straightforward for attackers to complete arbitrary orders. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, but its potential for remote payment fraud makes it an attractive target for malicious actors.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpchill

Download Monitor

unaffected

Version	Status	Constraints
`*`	affected	≤ 5.1.7

No data.

Vendor Product Confidence Versions

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Wpchill

Download Monitor

100%

Version	Status	Scheme	Platform
`[0,5.1.7]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Download Monitor to a version newer than 5.1.7
Restrict access to the executePayment endpoint so only authenticated users can invoke it
Consult the plugin vendor’s website or the WordPress repository for any additional patches or advisories

Generated by OpenCVE AI on March 30, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3470119/download-monitor
https://www.wordfence.com/threat-intel/vulnerabilities/id/45527d6c-6866-44e6-85c2-5be984afbbc9?source=cve

History

Mon, 30 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpchill Wpchill download Monitor
Vendors & Products		Wordpress Wordpress wordpress Wpchill Wpchill download Monitor

Mon, 30 Mar 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.
Title		Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id'
Weaknesses		CWE-639
References		https://plugins.trac.wordpress.org/changeset/3470119/download-monitor https://www.wordfence.com/threat-intel/vulnerabilities/id/45527d6c-6866-44e6-85c2-5be984afbbc9?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Wordpress Wordpress

Wpchill Download Monitor

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-30T01:24:44.783Z

Updated: 2026-03-30T14:56:17.380Z

Reserved: 2026-02-24T14:05:44.981Z

Link: CVE-2026-3124

Vulnrichment

Updated: 2026-03-30T14:56:06.657Z

NVD

Status : Awaiting Analysis

Published: 2026-03-30T02:16:15.630

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-3124

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T07:03:44Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object