Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network REST endpoint (AV:N) reachable by any authenticated vendor (PR:L) with no user interaction; missing capability allowlist yields administrator access and full C/I/A impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the update_capabilities() REST handler accepting arbitrary capability strings from the request body and passing them directly to WP_User::add_cap() with no allowlist validation, only verifying that the caller holds the dokandar capability. This makes it possible for authenticated attackers with a self-provisioned Vendor-level access and above, on sites with the Vendor Staff module enabled, to grant arbitrary WordPress capabilities, including administrator, to any vendor_staff account, leading to a full site takeover.
Articles & Coverage 1
AnalysisAI
Privilege escalation in the Dokan Pro WooCommerce multivendor plugin for WordPress (all versions through 5.0.4) allows an authenticated vendor-level attacker to grant themselves or a controlled vendor_staff account the WordPress administrator capability, resulting in full site takeover. The flaw stems from the update_capabilities() REST handler accepting arbitrary capability strings with no allowlist, only checking for the dokandar capability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the Vendor Staff module to be enabled in Dokan Pro (the module that exposes the update_capabilities() REST endpoint) and the attacker to hold at least a self-provisioned Vendor-level account carrying the dokandar capability - commonly obtainable on marketplaces that allow open vendor registration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8 High) accurately reflects a network-reachable, low-complexity, low-privilege-required attack with full confidentiality, integrity and availability impact - consistent with a path to administrator. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers (or already holds) a vendor account on a Dokan marketplace that has the Vendor Staff module enabled, creates a vendor_staff account, then sends a crafted authenticated request to the update_capabilities() REST endpoint supplying 'administrator' as a capability. Because the handler only checks for the dokandar capability and applies no allowlist, the staff account is granted administrator rights, giving the attacker full control of the WordPress site. … |
| Remediation | No vendor-released patched version was identified at time of analysis; the description confirms only that versions through 5.0.4 are vulnerable, so administrators should upgrade to the latest Dokan Pro release above 5.0.4 as soon as weDevs publishes a fix and monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/6ff9c202-b3e8-4660-8763-a9fee468203e?source=cve) and https://dokan.co/ for the exact fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Verify Dokan Pro installation and current version; disable vendor self-registration and the Vendor Staff module if operations permit. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in the Dokan Pro WordPress multivendor marketplace plugin (all versions ≤ 5.0.4) lets unauthenticated remo
Time-based blind SQL injection in the Dokan Pro WordPress plugin allows network-accessible authenticated attackers with
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40928
GHSA-9cv2-mw8g-x6gp