Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable parameter (AV:N/PR:N/UI:N), straightforward blind injection (AC:L), read-only data disclosure so C:H but I:N/A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the via 'latitude' and 'longitude' parameters in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Articles & Coverage 1
AnalysisAI
SQL injection in the Dokan Pro WordPress multivendor marketplace plugin (all versions ≤ 5.0.4) lets unauthenticated remote attackers inject SQL through the 'latitude' and 'longitude' request parameters, enabling extraction of arbitrary database contents such as user credentials, API keys, and order data. The flaw is time-based (blind) and requires no authentication or user interaction, but no public exploit code or active exploitation has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires sending requests to the Dokan Pro request handler that processes the 'latitude' and 'longitude' parameters (the vendor/store geolocation functionality) on a site running Dokan Pro 5.0.4 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) describes a network-reachable, low-complexity, unauthenticated injection with high confidentiality impact but no integrity or availability impact - consistent with a read-only/data-exfiltration SQL injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends crafted HTTP requests to the public Dokan Pro endpoint that accepts 'latitude' and 'longitude', appending a time-based blind SQL injection payload (e.g. a conditional SLEEP) to the existing query. … |
| Remediation | Upgrade Dokan Pro to a version later than 5.0.4 as soon as the vendor's patched release is available; the input data does not name an exact fixed version, so No vendor-released patch version is independently confirmed at time of analysis - consult the vendor advisory at https://dokan.co/ and the Wordfence record at https://www.wordfence.com/threat-intel/vulnerabilities/id/6565e345-3374-43d9-9789-f0d9138dc3e8?source=cve to obtain the corrected build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Query WordPress admin sites for Dokan Pro plugin installations and affected versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Privilege escalation in the Dokan Pro WooCommerce multivendor plugin for WordPress (all versions through 5.0.4) allows a
Time-based blind SQL injection in the Dokan Pro WordPress plugin allows network-accessible authenticated attackers with
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39166
GHSA-8r4g-qxjq-qwgc