Skip to main content

Dokan CVE-2026-49780

| EUVDEUVD-2026-36897 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-15 Patchstack GHSA-9grp-3x37-pqm5
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable WordPress endpoint (AV:N), straightforward request (AC:L), requires a self-registerable customer account (PR:L), no victim interaction (UI:N), and full site-level CIA impact via role escalation.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:28 vuln.today

DescriptionCVE.org

Customer Privilege Escalation in Dokan <= 5.0.2 versions.

AnalysisAI

Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer accounts to elevate their permissions within the multivendor marketplace, potentially gaining vendor or administrative capabilities. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Dokan (also marketed as Dokan Lite) is a popular WordPress multivendor marketplace plugin that lets site owners run Amazon/Etsy-style storefronts with distinct customer, vendor, and admin roles layered on top of WordPress and WooCommerce capabilities. The underlying weakness maps to CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns or accepts privilege/role values without sufficient validation, so a logged-in customer can manipulate a request to receive capabilities they were never granted. The CPE 'cpe:2.3:a:dokan,_inc.:dokan:*:*:*:*:*:*:*:*' indicates all Dokan versions up to and including 5.0.2 are in scope.

RemediationAI

Patch available per vendor advisory: upgrade Dokan to a release later than 5.0.2 as soon as weDevs publishes the fixed build referenced in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-5-0-2-privilege-escalation-vulnerability, and verify the installed version via Plugins → Installed Plugins after updating. Until the fixed version is deployed, compensating controls include temporarily disabling new customer self-registration in WooCommerce/Dokan settings (trade-off: blocks legitimate signups and lost sales), placing the site behind Patchstack's or another WordPress WAF with virtual-patching rules for this CVE (trade-off: depends on signature coverage and may not catch variant payloads), auditing the wp_users and wp_usermeta tables for unexpected role escalations to vendor or administrator, and restricting access to Dokan vendor-management AJAX/REST endpoints via web-server ACLs (trade-off: may break legitimate vendor workflows). Do not rely on plugin deactivation alone if customer accounts have already been created - audit existing accounts before re-enabling.

More in Dokan

View all
CVE-2024-3922 CRITICAL POC
10.0 Jun 13

The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and in

CVE-2022-3915 CRITICAL POC
9.8 Dec 12

The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL state

CVE-2026-24359 HIGH
8.8 Mar 25

An authentication bypass vulnerability exists in Dokan (Dokan, Inc.) dokan-lite plugin versions through 4.2.4 that allow

CVE-2020-36748 MEDIUM POC
4.3 Jul 01

The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. Rate

CVE-2023-26525 HIGH
7.1 Dec 20

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan - Bes

CVE-2026-57706 HIGH
7.1 Jul 13

Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and in

CVE-2026-11783 MEDIUM
6.4 Jun 27

Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through

CVE-2023-34382 MEDIUM
4.4 Dec 19

Deserialization of Untrusted Data vulnerability in weDevs Dokan - Best WooCommerce Multivendor Marketplace Solution - Bu

CVE-2026-11987 MEDIUM
4.3 Jun 27

Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enable

CVE-2026-10023 MEDIUM
4.3 Jun 18

Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allo

Share

CVE-2026-49780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy