CVE-2026-3124

HIGH

Published:Mar 30, 2026(Today)

Modified:Mar 30, 2026

AI Explanation

The Download Monitor plugin for WordPress has a vulnerability that allows attackers to exploit a mismatch between PayPal transaction tokens and local orders, enabling them to steal paid digital goods by paying for a low-cost item and using that payment token to finalize a high-value order. This is due to missing validation on a user-controlled key in the executePayment() function. Attackers can complete arbitrary pending orders without authentication.

Developers using the Download Monitor plugin for WordPress are at high risk of allowing unauthenticated attackers to steal paid digital goods, posing a significant financial threat to their business.

Network AccessLow ComplexityNo Auth NeededNo User Interaction

How to Fix

1Update the Download Monitor plugin to a version higher than 5.1.7, 2. Validate user-controlled keys in the executePayment() function to prevent Insecure Direct Object Reference, 3. Monitor for suspicious transaction activity and implement additional security measures to prevent exploitation

References

https://plugins.trac.wordpress.org/changeset/3470119/download-monitor
https://www.wordfence.com/threat-intel/vulnerabilities/id/45527d6c-686...

CVSS Score

v3.1

7.5/ 10.0

HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

At a Glance

Affected Products

References

CVSS v3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2026-3124

✦ AI Explanation

How to Fix

References

CVSS Score

At a Glance

CVSS v3 Vector

Impact Analysis

AI Explanation