Skip to main content

Dokan CVE-2025-53425

HIGH
Incorrect Privilege Assignment (CWE-266)
2025-10-22 audit@patchstack.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 24, 2026 - 01:12 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 24, 2026 - 01:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:42 NVD
7.6 (HIGH) 7.2 (HIGH)
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 22, 2025 - 15:15 nvd
HIGH 7.6

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Dokan, Inc. Dokan dokan-lite allows Privilege Escalation.This issue affects Dokan: from n/a through <= 4.1.3.

AnalysisAI

Privilege escalation in Dokan (WordPress multi-vendor marketplace plugin) versions up to 4.1.3 allows high-privileged users to elevate their permissions beyond intended role boundaries. Reported by Patchstack audit team with EPSS exploitation probability of 0.08% (24th percentile), indicating low real-world exploitation likelihood. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.

Technical ContextAI

Dokan is a WordPress plugin enabling multi-vendor marketplace functionality. This vulnerability stems from CWE-266 (Incorrect Privilege Assignment), where the plugin fails to properly enforce authorization boundaries between user roles. In WordPress multi-vendor environments, vendors typically have restricted administrative capabilities limited to their own store data. This flaw allows authenticated high-privileged users (likely vendor-level accounts) to perform actions or access resources outside their designated permission scope, potentially escalating to site administrator capabilities or accessing other vendors' data. The network attack vector (AV:N) indicates exploitation occurs through the web application interface rather than requiring local system access.

Affected ProductsAI

Dokan (dokan-lite) WordPress plugin versions from earliest available release through 4.1.3 are confirmed vulnerable. The plugin is developed by Dokan, Inc. and distributed through the WordPress.org plugin repository. Both free (dokan-lite) and potentially premium (dokan-pro) variants may be affected, though only dokan-lite is explicitly named in the CVE. Installations using Dokan for WooCommerce multi-vendor marketplace functionality are impacted. Vendor advisory and technical details available at Patchstack database reference https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-0-8-privilege-escalation-vulnerability.

RemediationAI

Upgrade Dokan plugin to version 4.1.4 or later if available (check WordPress admin dashboard or https://wordpress.org/plugins/dokan-lite/ for latest patched release, as CVE lists 4.1.3 as final vulnerable version). Before upgrading, audit existing high-privileged vendor accounts for suspicious activity or unauthorized permission changes. If immediate patching is not feasible, implement compensating controls: restrict new vendor account creation to site administrators only (disable self-registration), enable WordPress activity logging to monitor privilege changes (plugins like WP Activity Log), review and revoke unnecessary high-privilege roles, and implement principle of least privilege by downgrading vendor accounts to lowest functional permission level. Note that restricting vendor capabilities may impact legitimate marketplace operations - test thoroughly in staging environment. Monitor Dokan changelog and Patchstack advisory for additional mitigation guidance.

Share

CVE-2025-53425 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy