The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. This is due to missing nonce validation on the addRefund() function. This makes it possible for unauthenticated attackers to perform actions such as initiating refunds via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
References
Configurations
Configuration 1 (hide)
|
History
10 Jul 2025, 21:29
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3156970%40wpdm-premium-packages&new=3156970%40wpdm-premium-packages&sfp_email=&sfph_mail= - Patch | |
| References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/0a714536-c6fd-495b-b774-104657329a74?source=cve - Third Party Advisory | |
| CPE | cpe:2.3:a:wpdownloadmanager:premium_packages_-_sell_digital_products_securely:*:*:*:*:*:wordpress:*:* | |
| First Time |
Wpdownloadmanager
Wpdownloadmanager premium Packages - Sell Digital Products Securely |
26 Sep 2024, 13:32
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-09-25 03:15
Updated : 2025-07-10 21:29
NVD link : CVE-2024-7386
Mitre link : CVE-2024-7386
CVE.ORG link : CVE-2024-7386
JSON object : View
Products Affected
wpdownloadmanager
- premium_packages_-_sell_digital_products_securely
CWE
CWE-352
Cross-Site Request Forgery (CSRF)