CVE-2024-7386

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-7386
The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. This is due to missing nonce validation on the addRefund() function. This makes it possible for unauthenticated attackers to perform actions such as initiating refunds via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.

4.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.wordfence.com/threat-intel/vulnerabilities/id/0a714536-c6fd-495b-b774-104657329a74?source=cve Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3156970%40wpdm-premium-packages&new=3156970%40wpdm-premium-packages&sfp_email=&sfph_mail= Patch
Configurations

Configuration 1 (hide)

cpe:2.3:a:wpdownloadmanager:premium_packages_-_sell_digital_products_securely:*:*:*:*:*:wordpress:*:*
History

10 Jul 2025, 21:29

Type Values Removed Values Added
CPE cpe:2.3:a:wpdownloadmanager:premium_packages_-_sell_digital_products_securely:*:*:*:*:*:wordpress:*:*
First Time Wpdownloadmanager premium Packages - Sell Digital Products Securely
Wpdownloadmanager
References () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3156970%40wpdm-premium-packages&new=3156970%40wpdm-premium-packages&sfp_email=&sfph_mail= - () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3156970%40wpdm-premium-packages&new=3156970%40wpdm-premium-packages&sfp_email=&sfph_mail= - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/0a714536-c6fd-495b-b774-104657329a74?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/0a714536-c6fd-495b-b774-104657329a74?source=cve - Third Party Advisory

25 Sep 2024, 17:15

Type Values Removed Values Added
Summary The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. This is due to missing nonce validation on the wpdmpp_async_request() function. This makes it possible for unauthenticated attackers to perform actions such as initiating refunds via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link. The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. This is due to missing nonce validation on the addRefund() function. This makes it possible for unauthenticated attackers to perform actions such as initiating refunds via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
References
  • {'url': 'https://plugins.trac.wordpress.org/browser/wpdm-premium-packages/trunk/wpdm-premium-packages.php?rev=3102989#L1148', 'name': 'https://plugins.trac.wordpress.org/browser/wpdm-premium-packages/trunk/wpdm-premium-packages.php?rev=3102989#L1148', 'tags': [], 'refsource': ''}
  • () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3156970%40wpdm-premium-packages&new=3156970%40wpdm-premium-packages&sfp_email=&sfph_mail= -

25 Sep 2024, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-25 03:15

Updated : 2025-07-10 21:29

NVD link : CVE-2024-7386

Mitre link : CVE-2024-7386

JSON object : View

Products Affected

wpdownloadmanager

  • premium_packages_-_sell_digital_products_securely
CWE
CWE-352

Cross-Site Request Forgery (CSRF)