CVE-2026-3124

Name of the Vulnerable Software and Affected Versions Download Monitor plugin for WordPress versions prior to 5.1.8

Description The software contains an Insecure Direct Object Reference issue in the executePayment() function. Missing validation on a user-controlled key allows unauthenticated attackers to complete arbitrary pending orders. This is possible due to a mismatch between the PayPal transaction token and the local order id, potentially enabling theft of paid digital goods by exploiting a payment token from a low-cost item to finalize a high-value order.

Recommendations Update to Download Monitor plugin version 5.1.8 or later.