CVE-2026-3124

High

Published: 30 March 2026

Published

30 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0005 16.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3124 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to orders, directly preventing IDOR exploitation via unauthorized manipulation of user-controlled keys.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of user-controlled keys in executePayment(), addressing the missing validation that enables token mismatch and arbitrary order completion.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation, such as applying the plugin patch to fix the IDOR vulnerability in all affected versions.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote exploitation of public-facing WordPress plugin via IDOR/authz bypass (CWE-639) to manipulate orders and exfil digital goods.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated…

attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.

Deeper analysisAI

CVE-2026-3124 is an Insecure Direct Object Reference vulnerability (CWE-639) in the Download Monitor plugin for WordPress, affecting all versions up to and including 5.1.7. The flaw exists in the executePayment() function due to missing validation on a user-controlled key, which enables attackers to manipulate order completions by exploiting a mismatch between PayPal transaction tokens and local orders.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). By paying a minimal amount for a low-cost item to obtain a valid PayPal transaction token, attackers can then use that token to finalize arbitrary high-value pending orders, resulting in the theft of paid digital goods.

Mitigation details are provided in the plugin's WordPress trac changeset 3470119, which contains the patch, and the Wordfence threat intelligence advisory at the referenced URL. WordPress site administrators running affected versions of the Download Monitor plugin should update to a patched release to address the issue.