<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Download Monitor Plugin - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/download-monitor-plugin/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/download-monitor-plugin/feed.xml" rel="self" type="application/rss+xml"/><item><title>Download Monitor WordPress Plugin Insecure Direct Object Reference</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-download-monitor-idor/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-download-monitor-idor/</guid><description>The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference (IDOR) allowing unauthenticated attackers to steal paid digital goods by manipulating PayPal transaction tokens to complete arbitrary orders.</description><content:encoded><![CDATA[<p>The Download Monitor plugin for WordPress, versions 5.1.7 and earlier, contains an Insecure Direct Object Reference (IDOR) vulnerability. This flaw resides within the <code>executePayment()</code> function, stemming from inadequate validation of a user-controlled key. An unauthenticated attacker can exploit this vulnerability by manipulating the PayPal transaction token associated with pending orders. The attacker can essentially &quot;swap&quot; a payment token from a low-value purchase to finalize a high-value order, effectively stealing digital goods. This attack does not require any prior authentication or knowledge of the system beyond the presence of the vulnerable plugin. This vulnerability poses a significant risk to websites that rely on the Download Monitor plugin to sell digital products, as it allows attackers to bypass payment for valuable content.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a WordPress website using the vulnerable Download Monitor plugin (versions &lt;= 5.1.7).</li>
<li>The attacker identifies a high-value digital product offered for sale through the plugin.</li>
<li>The attacker purchases a low-value item through the website, completing the PayPal transaction to receive a valid transaction token.</li>
<li>The attacker identifies the pending order ID of the high-value product they wish to steal, likely through enumeration or predictable order naming schemes.</li>
<li>The attacker crafts a malicious request to the <code>executePayment()</code> function, replacing the expected PayPal transaction token for the high-value order with the token obtained from the low-value purchase.</li>
<li>The server-side <code>executePayment()</code> function fails to properly validate the transaction token against the expected order details.</li>
<li>The plugin incorrectly marks the high-value order as &quot;paid&quot; and grants the attacker access to the digital product.</li>
<li>The attacker downloads the high-value digital product for free, resulting in financial loss for the website owner.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this IDOR vulnerability allows unauthenticated attackers to bypass payment and steal digital goods offered through the Download Monitor plugin. The number of affected websites is unknown, but any site using Download Monitor versions 5.1.7 or earlier is vulnerable. The financial impact depends on the value of the digital products offered, and the frequency with which attackers exploit the flaw. Websites selling high-value digital assets are at the greatest risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the Download Monitor plugin to the latest version, which includes a patch for CVE-2026-3124.</li>
<li>Implement the Sigma rule <code>Detect Suspicious Download Monitor Payment Execution</code> to identify potential exploitation attempts by monitoring POST requests to <code>executePayment()</code> with unusual parameters or token mismatches.</li>
<li>Enable web server logging and carefully monitor access logs for POST requests to <code>/wp-content/plugins/download-monitor/includes/</code> to enable detections.</li>
<li>Implement server-side validation to verify that the PayPal transaction token matches the expected order details before finalizing any order.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>idor</category><category>download-monitor</category><category>cve-2026-3124</category></item></channel></rss>