2Download Connector For 2Dl Hosted Checkout
Monthly
Unauthorized subscription data exposure in the 2Download Connector for 2DL Hosted Checkout WordPress plugin allows unauthenticated network attackers to read arbitrary customers' subscription records - including subscription status, product names, order IDs, purchase dates, and expiry dates - across all versions up to and including 0.1.5. The root cause is a missing authorization check in the plugin's shortcode handlers (Shortcodes.php), meaning any unauthenticated HTTP request can trigger the data-retrieval logic without identity verification. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Unauthorized subscription data exposure in the 2Download Connector for 2DL Hosted Checkout WordPress plugin allows unauthenticated network attackers to read arbitrary customers' subscription records - including subscription status, product names, order IDs, purchase dates, and expiry dates - across all versions up to and including 0.1.5. The root cause is a missing authorization check in the plugin's shortcode handlers (Shortcodes.php), meaning any unauthenticated HTTP request can trigger the data-retrieval logic without identity verification. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.