Skip to main content

Dokan Pro CVE-2026-56033

| EUVDEUVD-2026-39696 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-06-26 audit@patchstack.com GHSA-g44j-q7h3-4266
9.8
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated, network-reachable, low-complexity privilege escalation (PR:N/AV:N/AC:L) yielding administrative control gives full C/I/A; scope unchanged as it stays within the WordPress security authority.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:42 vuln.today

DescriptionCVE.org

Unauthenticated Privilege Escalation in Dokan Pro <= 5.0.4 versions.

AnalysisAI

Privilege escalation in Dokan Pro (the WordPress/WooCommerce multivendor marketplace plugin) versions 5.0.4 and earlier lets unauthenticated remote attackers gain elevated privileges, scoring CVSS:3.1 9.8 Critical via AV:N/AC:L/PR:N/UI:N with full confidentiality, integrity, and availability impact. The flaw is classed as CWE-266 (Incorrect Privilege Assignment), meaning the plugin grants privileges it should not to an unauthenticated requester. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Find WordPress site running Dokan Pro <= 5.0.4
Delivery
Send crafted unauthenticated request to privilege endpoint
Exploit
Plugin incorrectly assigns elevated role
Execution
Gain administrative capabilities
Impact
Take over site and install backdoor

Vulnerability AssessmentAI

Exploitation Per the supplied CVSS vector (AV:N/AC:L/PR:N/UI:N), no authentication, no user interaction, and no prior privileges are required, so exploitation is unauthenticated and remote against any Dokan Pro installation at version 5.0.4 or below. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are limited and only partially corroborated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted request to a vulnerable Dokan Pro endpoint that improperly assigns privileges, causing the plugin to grant the attacker (or a newly created account) elevated capabilities up to administrative control of the WordPress site. From there they can read sensitive data, alter content, install malicious plugins, and disrupt the marketplace. …
Remediation No vendor-released patch version is identified in the available data - the input only confirms versions through 5.0.4 are vulnerable, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/dokan-pro/vulnerability/wordpress-dokan-pro-plugin-5-0-4-privilege-escalation-vulnerability?_s_id=cve) and the weDevs/Dokan changelog for the first release above 5.0.4 and upgrade as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Dokan Pro ≤5.0.4 and assess operational necessity; prioritize deactivation if non-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56033 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy