cleantalk
Vulnerabilities and Security Researches

Download Manager and Payment Form WordPress Plugin – WP SmartPay, CVE-2025-3851

CVE, Research URL

CVE-2025-3851

Home page URL

Security reports for Download Manager and Payment Form WordPress Plugin – WP SmartPay

Application

Download Manager and Payment Form WordPress Plugin – WP SmartPay

Published on
May 07, 2025
Research Description
The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 1.1.0 to 2.7.13 via the show() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's data like email address, name, and notes.
Affected versions
Min 1.1.0, max 2.7.13.
Status
vulnerable
Previous vulnerability researches
WP Joomag (CVE-2025-22827) , Jan 11, 2025
New vulnerability
Address Autocomplete via Google for Gravity Forms (CVE-2025-53263) , Jul 03, 2025
Spoki – Chat Buttons and WooCommerce Notifications (CVE-2025-50026) , Jul 03, 2025
Amazon Products to WooCommerce (CVE-2025-5813) , Jul 03, 2025
Breeze – WordPress Cache Plugin (CVE-2025-23999) , Jul 03, 2025
Twitch TV Embed Suite (CVE-2025-53313) , Jul 03, 2025