CVE ID :CVE-2026-3124 Published : March 30, 2026, 2:16 a.m. | 50 minutes ago Description :The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order. Severity: 7.5 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...