Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    1 vulnerability by 2download

    CVE-2026-6798 (GCVE-0-2026-6798)

    Vulnerability from cvelistv5 – Published: 2026-06-19 06:51 – Updated: 2026-06-19 06:51
    VLAI
    Title
    2Download Connector for 2DL Hosted Checkout <= 0.1.5 - Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure via 'ToDownload_email' Parameter
    Summary
    The 2Download Connector for 2DL Hosted Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 0.1.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to view arbitrary customers' subscription data including subscription status, product names, order IDs, purchase dates, and expiry dates.
    Severity
    5.3 (Medium)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    CWE
    Assigner
    References
    Impacted products
    Credits
    Mohamed Haidar
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "2Download Connector for 2DL Hosted Checkout",
          "vendor": "2download",
          "versions": [
            {
              "lessThanOrEqual": "0.1.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mohamed Haidar"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The 2Download Connector for 2DL Hosted Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 0.1.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to view arbitrary customers\u0027 subscription data including subscription status, product names, order IDs, purchase dates, and expiry dates."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-19T06:51:07.887Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46a36f2b-c352-4d76-b4c4-8a73ec5dd910?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/2download-connector/trunk/src/Shortcodes/Shortcodes.php#L1776"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/2download-connector/tags/0.1.5/src/Shortcodes/Shortcodes.php#L1776"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/2download-connector/trunk/src/Shortcodes/Shortcodes.php#L1278"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/2download-connector/tags/0.1.5/src/Shortcodes/Shortcodes.php#L1278"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/2download-connector/trunk/src/Shortcodes/Shortcodes.php#L1767"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/2download-connector/tags/0.1.5/src/Shortcodes/Shortcodes.php#L1767"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3524785%402download-connector\u0026new=3524785%402download-connector\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-18T17:37:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "2Download Connector for 2DL Hosted Checkout \u003c= 0.1.5 - Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure via \u0027ToDownload_email\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-6798",
    "datePublished": "2026-06-19T06:51:07.887Z",
    "dateReserved": "2026-04-21T14:37:13.586Z",
    "dateUpdated": "2026-06-19T06:51:07.887Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}