Skip to main content

Dokan CVE-2026-10023

| EUVDEUVD-2026-37835 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-18 Wordfence GHSA-ghfc-6wf7-mhgw
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network AJAX endpoint, low complexity, vendor account required (PR:L); no confidentiality loss or availability impact confirmed; integrity impact is low per CVSS granularity despite broad order manipulation scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 18, 2026 - 04:44 vuln.today
Analysis Generated
Jun 18, 2026 - 04:44 vuln.today
CVE Published
Jun 18, 2026 - 03:41 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor's own dashboard order pages (e.g., /dashboard/orders/?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID - the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that 'users cannot generate valid nonces on command': vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1.

AnalysisAI

Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allows authenticated vendor-level users to manipulate arbitrary marketplace orders they do not own, in all versions up to and including 5.0.3. Affected operations include changing order status, injecting customer-facing notes that trigger WooCommerce notification emails to buyers, deleting any order note or WordPress comment by raw ID, inserting fraudulent shipping tracking data, and granting or revoking downloadable product access on any order in the installation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain vendor account on target marketplace
Delivery
Load own order dashboard page to harvest valid WordPress nonce
Exploit
Enumerate or guess victim order IDs
Execution
Craft AJAX POST to wp-admin/admin-ajax.php with victim order_id and harvested nonce
Persist
Server processes request without ownership check
Impact
Modify order status, inject fraudulent notes/tracking, or grant unauthorized download access

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account with Dokan vendor (seller) role or higher on the target WordPress installation - attacker must be a registered marketplace vendor, not merely a customer or anonymous user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS score of 4.3 Medium with AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N represents a defensible but conservative rating of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious vendor registered on the marketplace navigates to their own order dashboard at /dashboard/orders/?order_id=[OWN_ORDER_ID] and extracts the embedded WordPress nonce from the page HTML. They then POST to wp-admin/admin-ajax.php with action=dokan_change_order_status, the harvested nonce, and a victim's order_id to flip the victim's order to a completed or cancelled state - or use add_order_note to send a fraudulent customer-facing note that triggers a WooCommerce email to the buyer with attacker-controlled text. …
Remediation The upstream fix is confirmed via GitHub Pull Request #3246 (https://github.com/getdokan/dokan/pull/3246) and a corresponding WordPress.org changeset 3564542 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3564542%40dokan-lite&new=3564542%40dokan-lite). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Dokan

View all
CVE-2024-3922 CRITICAL POC
10.0 Jun 13

The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and in

CVE-2022-3915 CRITICAL POC
9.8 Dec 12

The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL state

CVE-2026-24359 HIGH
8.8 Mar 25

An authentication bypass vulnerability exists in Dokan (Dokan, Inc.) dokan-lite plugin versions through 4.2.4 that allow

CVE-2026-49780 HIGH
8.8 Jun 15

Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer a

CVE-2020-36748 MEDIUM POC
4.3 Jul 01

The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. Rate

CVE-2023-26525 HIGH
7.1 Dec 20

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan - Bes

CVE-2026-57706 HIGH
7.1 Jul 13

Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and in

CVE-2026-11783 MEDIUM
6.4 Jun 27

Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through

CVE-2023-34382 MEDIUM
4.4 Dec 19

Deserialization of Untrusted Data vulnerability in weDevs Dokan - Best WooCommerce Multivendor Marketplace Solution - Bu

CVE-2026-11987 MEDIUM
4.3 Jun 27

Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enable

Share

CVE-2026-10023 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy