Skip to main content

Dokan Pro CVE-2026-12224

| EUVDEUVD-2026-40928 HIGH
Improper Privilege Management (CWE-269)
2026-07-01 Wordfence GHSA-9cv2-mw8g-x6gp
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network REST endpoint (AV:N) reachable by any authenticated vendor (PR:L) with no user interaction; missing capability allowlist yields administrator access and full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 08:32 vuln.today
CVE Published
Jul 01, 2026 - 06:51 nvd
HIGH 8.8

DescriptionCVE.org

The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the update_capabilities() REST handler accepting arbitrary capability strings from the request body and passing them directly to WP_User::add_cap() with no allowlist validation, only verifying that the caller holds the dokandar capability. This makes it possible for authenticated attackers with a self-provisioned Vendor-level access and above, on sites with the Vendor Staff module enabled, to grant arbitrary WordPress capabilities, including administrator, to any vendor_staff account, leading to a full site takeover.

AnalysisAI

Privilege escalation in the Dokan Pro WooCommerce multivendor plugin for WordPress (all versions through 5.0.4) allows an authenticated vendor-level attacker to grant themselves or a controlled vendor_staff account the WordPress administrator capability, resulting in full site takeover. The flaw stems from the update_capabilities() REST handler accepting arbitrary capability strings with no allowlist, only checking for the dokandar capability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or use self-provisioned vendor account
Delivery
Create vendor_staff account
Exploit
POST arbitrary capability to update_capabilities REST endpoint
Execution
Grant administrator capability to staff account
Persist
Log in as administrator
Impact
Full site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires the Vendor Staff module to be enabled in Dokan Pro (the module that exposes the update_capabilities() REST endpoint) and the attacker to hold at least a self-provisioned Vendor-level account carrying the dokandar capability - commonly obtainable on marketplaces that allow open vendor registration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8 High) accurately reflects a network-reachable, low-complexity, low-privilege-required attack with full confidentiality, integrity and availability impact - consistent with a path to administrator. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers (or already holds) a vendor account on a Dokan marketplace that has the Vendor Staff module enabled, creates a vendor_staff account, then sends a crafted authenticated request to the update_capabilities() REST endpoint supplying 'administrator' as a capability. Because the handler only checks for the dokandar capability and applies no allowlist, the staff account is granted administrator rights, giving the attacker full control of the WordPress site. …
Remediation No vendor-released patched version was identified at time of analysis; the description confirms only that versions through 5.0.4 are vulnerable, so administrators should upgrade to the latest Dokan Pro release above 5.0.4 as soon as weDevs publishes a fix and monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/6ff9c202-b3e8-4660-8763-a9fee468203e?source=cve) and https://dokan.co/ for the exact fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Verify Dokan Pro installation and current version; disable vendor self-registration and the Vendor Staff module if operations permit. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy