Primary

Context

Download Monitor WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Unauthenticated Arbitrary Order Completion

Vulnerability

Patched

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Download Monitor plugin for WordPress, affecting all versions through 5.1.7. The issue arises in the executePayment() function, where insufficient validation of a user-controlled key allows unauthenticated attackers to complete arbitrary pending orders. Exploitation involves manipulating the PayPal transaction token to match a local order, enabling the theft of digital goods by paying a minimal amount for a low-cost item and using that token to finalize a high-value order.

Impact

Exploitation of this vulnerability allows for unauthorized completion of orders, leading to potential theft of digital goods.

Remediation

Users are advised to update the Download Monitor plugin to version 5.1.8 or later.

Added: Mar 30, 2026, 2:19 AM

Updated: Mar 30, 2026, 2:19 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

3.1

exploitability

5.7

remediation

7.7

relevance

4.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

3.1

exploitability

5.7

remediation

7.7

relevance

4.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Download Monitor WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Unauthenticated Arbitrary Order Completion

Vulnerability

Impact

Remediation

Affected Products

WPChill Download Monitor

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating