Description
The 2Download Connector for 2DL Hosted Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 0.1.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to view arbitrary customers' subscription data including subscription status, product names, order IDs, purchase dates, and expiry dates.
Published: 2026-06-19
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The 2Download Connector for 2DL Hosted Checkout plugin for WordPress contains an authorization flaw (CWE-862). The plugin fails to verify that a user is permitted to request customer subscription information. Consequently, any unauthenticated web request—including the use of the 'ToDownload_email' parameter—can expose private subscription details such as status, product names, order IDs, purchase dates, and expiry dates. The vulnerability compromises confidentiality by allowing the disclosure of sensitive data to outsiders. The scope is limited to systems that host the affected plugin, but once the plugin is activated on a site, the exposed data is available to all network traffic that can reach the site.

Affected Systems

All instances of the 2Download Connector for 2DL Hosted Checkout through version 0.1.5 are affected. The vulnerability exists in every WordPress site that has installed this plugin version or an older one. No other product versions or vendors are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 classifies this issue as medium severity. There is no EPSS score available, and the vulnerability is not listed in the CISA KEV catalog, indicating it is not a known exploited vulnerability. The attack vector is likely through a web request that manipulates the 'ToDownload_email' parameter; no authentication is required. While the exploitation is straightforward, the impact is limited to data exposure rather than system compromise, which reduces the overall risk relative to high‑severity vulnerabilities.

Generated by OpenCVE AI on June 19, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the 2Download Connector for 2DL Hosted Checkout to the latest version, which removes the missing authorization check.
  • If an update cannot be applied immediately, disable or remove the shortcode that uses the 'ToDownload_email' parameter, thereby blocking unauthenticated data exposure.
  • Implement server‑side access controls or authentication checks for any remaining delivery scripts that may still expose subscription data, ensuring that only privileged users can access such endpoints.

Generated by OpenCVE AI on June 19, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description The 2Download Connector for 2DL Hosted Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 0.1.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to view arbitrary customers' subscription data including subscription status, product names, order IDs, purchase dates, and expiry dates.
Title 2Download Connector for 2DL Hosted Checkout <= 0.1.5 - Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure via 'ToDownload_email' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-19T06:51:07.887Z

Reserved: 2026-04-21T14:37:13.586Z

Link: CVE-2026-6798

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T09:30:16Z

Weaknesses