Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable WordPress endpoint (AV:N), straightforward request (AC:L), requires a self-registerable customer account (PR:L), no victim interaction (UI:N), and full site-level CIA impact via role escalation.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Customer Privilege Escalation in Dokan <= 5.0.2 versions.
AnalysisAI
Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer accounts to elevate their permissions within the multivendor marketplace, potentially gaining vendor or administrative capabilities. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
Dokan (also marketed as Dokan Lite) is a popular WordPress multivendor marketplace plugin that lets site owners run Amazon/Etsy-style storefronts with distinct customer, vendor, and admin roles layered on top of WordPress and WooCommerce capabilities. The underlying weakness maps to CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns or accepts privilege/role values without sufficient validation, so a logged-in customer can manipulate a request to receive capabilities they were never granted. The CPE 'cpe:2.3:a:dokan,_inc.:dokan:*:*:*:*:*:*:*:*' indicates all Dokan versions up to and including 5.0.2 are in scope.
RemediationAI
Patch available per vendor advisory: upgrade Dokan to a release later than 5.0.2 as soon as weDevs publishes the fixed build referenced in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-5-0-2-privilege-escalation-vulnerability, and verify the installed version via Plugins → Installed Plugins after updating. Until the fixed version is deployed, compensating controls include temporarily disabling new customer self-registration in WooCommerce/Dokan settings (trade-off: blocks legitimate signups and lost sales), placing the site behind Patchstack's or another WordPress WAF with virtual-patching rules for this CVE (trade-off: depends on signature coverage and may not catch variant payloads), auditing the wp_users and wp_usermeta tables for unexpected role escalations to vendor or administrator, and restricting access to Dokan vendor-management AJAX/REST endpoints via web-server ACLs (trade-off: may break legitimate vendor workflows). Do not rely on plugin deactivation alone if customer accounts have already been created - audit existing accounts before re-enabling.
The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and in
The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL state
An authentication bypass vulnerability exists in Dokan (Dokan, Inc.) dokan-lite plugin versions through 4.2.4 that allow
The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. Rate
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan - Bes
Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and in
Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through
Deserialization of Untrusted Data vulnerability in weDevs Dokan - Best WooCommerce Multivendor Marketplace Solution - Bu
Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enable
Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allo
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36897
GHSA-9grp-3x37-pqm5