The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. This is due to missing nonce validation on the addRefund() function. This makes it possible for unauthenticated attackers to perform actions such as initiating refunds via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
References
Configurations
Configuration 1 (hide)
|
History
10 Jul 2025, 21:29
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Wpdownloadmanager
Wpdownloadmanager premium Packages - Sell Digital Products Securely |
|
| References | () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3156970%40wpdm-premium-packages&new=3156970%40wpdm-premium-packages&sfp_email=&sfph_mail= - Patch | |
| References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/0a714536-c6fd-495b-b774-104657329a74?source=cve - Third Party Advisory | |
| CPE | cpe:2.3:a:wpdownloadmanager:premium_packages_-_sell_digital_products_securely:*:*:*:*:*:wordpress:*:* |
Information
Published : 2024-09-25 03:15
Updated : 2025-07-10 21:29
NVD link : CVE-2024-7386
Mitre link : CVE-2024-7386
CVE.ORG link : CVE-2024-7386
JSON object : View
Products Affected
wpdownloadmanager
- premium_packages_-_sell_digital_products_securely
CWE
CWE-352
Cross-Site Request Forgery (CSRF)