{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/download-monitor/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Download Monitor plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","idor","download-monitor","cve-2026-3124"],"_cs_type":"advisory","_cs_vendors":["Download Monitor"],"content_html":"\u003cp\u003eThe Download Monitor plugin for WordPress, versions 5.1.7 and earlier, contains an Insecure Direct Object Reference (IDOR) vulnerability. This flaw resides within the \u003ccode\u003eexecutePayment()\u003c/code\u003e function, stemming from inadequate validation of a user-controlled key. An unauthenticated attacker can exploit this vulnerability by manipulating the PayPal transaction token associated with pending orders. The attacker can essentially \u0026quot;swap\u0026quot; a payment token from a low-value purchase to finalize a high-value order, effectively stealing digital goods. This attack does not require any prior authentication or knowledge of the system beyond the presence of the vulnerable plugin. This vulnerability poses a significant risk to websites that rely on the Download Monitor plugin to sell digital products, as it allows attackers to bypass payment for valuable content.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a WordPress website using the vulnerable Download Monitor plugin (versions \u0026lt;= 5.1.7).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a high-value digital product offered for sale through the plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker purchases a low-value item through the website, completing the PayPal transaction to receive a valid transaction token.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the pending order ID of the high-value product they wish to steal, likely through enumeration or predictable order naming schemes.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the \u003ccode\u003eexecutePayment()\u003c/code\u003e function, replacing the expected PayPal transaction token for the high-value order with the token obtained from the low-value purchase.\u003c/li\u003e\n\u003cli\u003eThe server-side \u003ccode\u003eexecutePayment()\u003c/code\u003e function fails to properly validate the transaction token against the expected order details.\u003c/li\u003e\n\u003cli\u003eThe plugin incorrectly marks the high-value order as \u0026quot;paid\u0026quot; and grants the attacker access to the digital product.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the high-value digital product for free, resulting in financial loss for the website owner.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this IDOR vulnerability allows unauthenticated attackers to bypass payment and steal digital goods offered through the Download Monitor plugin. The number of affected websites is unknown, but any site using Download Monitor versions 5.1.7 or earlier is vulnerable. The financial impact depends on the value of the digital products offered, and the frequency with which attackers exploit the flaw. Websites selling high-value digital assets are at the greatest risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Download Monitor plugin to the latest version, which includes a patch for CVE-2026-3124.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious Download Monitor Payment Execution\u003c/code\u003e to identify potential exploitation attempts by monitoring POST requests to \u003ccode\u003eexecutePayment()\u003c/code\u003e with unusual parameters or token mismatches.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and carefully monitor access logs for POST requests to \u003ccode\u003e/wp-content/plugins/download-monitor/includes/\u003c/code\u003e to enable detections.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation to verify that the PayPal transaction token matches the expected order details before finalizing any order.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-download-monitor-idor/","summary":"The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference (IDOR) allowing unauthenticated attackers to steal paid digital goods by manipulating PayPal transaction tokens to complete arbitrary orders.","title":"Download Monitor WordPress Plugin Insecure Direct Object Reference","url":"https://feed.craftedsignal.io/briefs/2024-01-03-download-monitor-idor/"}],"language":"en","title":"CraftedSignal Threat Feed - Download-Monitor","version":"https://jsonfeed.org/version/1.1"}