CVE-2025-53425
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2Tags
Description
Incorrect Privilege Assignment vulnerability in Dokan, Inc. Dokan dokan-lite allows Privilege Escalation.This issue affects Dokan: from n/a through <= 4.1.3.
Analysis
Privilege escalation in Dokan Lite WordPress plugin (versions ≤4.1.3) enables low-privileged authenticated users to elevate privileges on vulnerable sites. The vulnerability stems from incorrect privilege assignment (CWE-266), exploitable remotely with low attack complexity and no user interaction required. With EPSS score of 0.08% (24th percentile), real-world exploitation probability is currently low, and no active exploitation or public exploit code has been identified at time of analysis. Authenticated attackers can gain unauthorized high-level confidentiality access with limited integrity and availability impact.
Technical Context
Dokan Lite is a WordPress multivendor marketplace plugin enabling users to create and manage vendor storefronts. This vulnerability involves CWE-266 (Incorrect Privilege Assignment), where the plugin fails to properly enforce role-based access controls or privilege boundaries. The flaw allows authenticated users with low-level privileges (likely customer or vendor roles) to perform actions or access resources reserved for higher privilege levels (potentially shop managers or administrators). The CVSS vector indicates network-based exploitation requiring authentication (PR:L) but no additional complexity barriers, suggesting the privilege escalation mechanism is directly accessible through plugin functionality without requiring complex preconditions or race conditions.
Affected Products
The vulnerability affects Dokan Lite WordPress plugin versions from the earliest available release through version 4.1.3 inclusive. Dokan Lite is developed by Dokan, Inc. and serves as a WordPress multivendor marketplace solution allowing site owners to create Amazon or Etsy-style marketplaces. The vendor advisory and technical details are available through Patchstack's vulnerability database at https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-0-8-privilege-escalation-vulnerability. All WordPress installations running Dokan Lite plugin versions 4.1.3 or earlier should be considered vulnerable regardless of WordPress core version.
Remediation
Site administrators should immediately upgrade Dokan Lite plugin to version 4.1.4 or later, which addresses the incorrect privilege assignment vulnerability. Updates can be applied through the WordPress admin dashboard plugin update mechanism or by downloading the latest version directly from the WordPress plugin repository. Before updating production environments, administrators should verify compatibility in staging environments and ensure complete backups are available. As an interim risk reduction measure pending patching, organizations can restrict new user registrations, audit existing low-privileged user accounts for suspicious activity, and implement additional web application firewall rules to monitor for privilege escalation attempts. Detailed vulnerability information and remediation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-0-8-privilege-escalation-vulnerability. No effective workaround exists that maintains full plugin functionality while eliminating the vulnerability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today