Skip to main content

Dokan Pro EUVDEUVD-2026-39166

| CVE-2026-12077 HIGH
SQL Injection (CWE-89)
2026-06-25 Wordfence GHSA-8r4g-qxjq-qwgc
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable parameter (AV:N/PR:N/UI:N), straightforward blind injection (AC:L), read-only data disclosure so C:H but I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 25, 2026 - 04:31 vuln.today
CVE Published
Jun 25, 2026 - 03:42 nvd
HIGH 7.5

DescriptionCVE.org

The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the via 'latitude' and 'longitude' parameters in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL injection in the Dokan Pro WordPress multivendor marketplace plugin (all versions ≤ 5.0.4) lets unauthenticated remote attackers inject SQL through the 'latitude' and 'longitude' request parameters, enabling extraction of arbitrary database contents such as user credentials, API keys, and order data. The flaw is time-based (blind) and requires no authentication or user interaction, but no public exploit code or active exploitation has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Dokan Pro ≤5.0.4
Delivery
Send request with malicious latitude/longitude parameter
Exploit
Inject time-based blind SQL payload
Execution
Infer data via response delays
Impact
Exfiltrate credentials and customer PII

Vulnerability AssessmentAI

Exploitation Exploitation requires sending requests to the Dokan Pro request handler that processes the 'latitude' and 'longitude' parameters (the vendor/store geolocation functionality) on a site running Dokan Pro 5.0.4 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) describes a network-reachable, low-complexity, unauthenticated injection with high confidentiality impact but no integrity or availability impact - consistent with a read-only/data-exfiltration SQL injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends crafted HTTP requests to the public Dokan Pro endpoint that accepts 'latitude' and 'longitude', appending a time-based blind SQL injection payload (e.g. a conditional SLEEP) to the existing query. …
Remediation Upgrade Dokan Pro to a version later than 5.0.4 as soon as the vendor's patched release is available; the input data does not name an exact fixed version, so No vendor-released patch version is independently confirmed at time of analysis - consult the vendor advisory at https://dokan.co/ and the Wordfence record at https://www.wordfence.com/threat-intel/vulnerabilities/id/6565e345-3374-43d9-9789-f0d9138dc3e8?source=cve to obtain the corrected build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Query WordPress admin sites for Dokan Pro plugin installations and affected versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39166 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy