EUVD-2026-17052
GHSA-r9gc-9vw9-725f
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Description
The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.
Analysis
Insecure Direct Object Reference in WP Download Monitor plugin (≤5.1.7) enables unauthenticated attackers to complete arbitrary pending orders by manipulating PayPal transaction tokens, allowing theft of paid digital goods. Attackers can pay minimal amounts for low-cost items and use those payment tokens to finalize high-value orders, effectively bypassing payment validation. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: identify all WordPress instances running WP Download Monitor ≤5.1.7 using plugin inventory or vulnerability scanning tools. Within 7 days: disable the WP Download Monitor plugin, migrate to alternative digital goods fulfillment solutions (e.g., Easy Digital Downloads, SendOwl), or downgrade payment processing to manual verification only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today