Dokan CVE-2025-53425
HIGHSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in Dokan, Inc. Dokan dokan-lite allows Privilege Escalation.This issue affects Dokan: from n/a through <= 4.1.3.
AnalysisAI
Privilege escalation in Dokan (WordPress multi-vendor marketplace plugin) versions up to 4.1.3 allows high-privileged users to elevate their permissions beyond intended role boundaries. Reported by Patchstack audit team with EPSS exploitation probability of 0.08% (24th percentile), indicating low real-world exploitation likelihood. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.
Technical ContextAI
Dokan is a WordPress plugin enabling multi-vendor marketplace functionality. This vulnerability stems from CWE-266 (Incorrect Privilege Assignment), where the plugin fails to properly enforce authorization boundaries between user roles. In WordPress multi-vendor environments, vendors typically have restricted administrative capabilities limited to their own store data. This flaw allows authenticated high-privileged users (likely vendor-level accounts) to perform actions or access resources outside their designated permission scope, potentially escalating to site administrator capabilities or accessing other vendors' data. The network attack vector (AV:N) indicates exploitation occurs through the web application interface rather than requiring local system access.
Affected ProductsAI
Dokan (dokan-lite) WordPress plugin versions from earliest available release through 4.1.3 are confirmed vulnerable. The plugin is developed by Dokan, Inc. and distributed through the WordPress.org plugin repository. Both free (dokan-lite) and potentially premium (dokan-pro) variants may be affected, though only dokan-lite is explicitly named in the CVE. Installations using Dokan for WooCommerce multi-vendor marketplace functionality are impacted. Vendor advisory and technical details available at Patchstack database reference https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-0-8-privilege-escalation-vulnerability.
RemediationAI
Upgrade Dokan plugin to version 4.1.4 or later if available (check WordPress admin dashboard or https://wordpress.org/plugins/dokan-lite/ for latest patched release, as CVE lists 4.1.3 as final vulnerable version). Before upgrading, audit existing high-privileged vendor accounts for suspicious activity or unauthorized permission changes. If immediate patching is not feasible, implement compensating controls: restrict new vendor account creation to site administrators only (disable self-registration), enable WordPress activity logging to monitor privilege changes (plugins like WP Activity Log), review and revoke unnecessary high-privilege roles, and implement principle of least privilege by downgrading vendor accounts to lowest functional permission level. Note that restricting vendor capabilities may impact legitimate marketplace operations - test thoroughly in staging environment. Monitor Dokan changelog and Patchstack advisory for additional mitigation guidance.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today