Skip to main content

Dokan EUVDEUVD-2026-39948

| CVE-2026-11987 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-27 Wordfence GHSA-7w4v-h7g8-xr5r
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Vendor account required (PR:L); network-accessible REST API (AV:N); confidentiality limited to peer product metadata with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 07:53 vuln.today
CVE Published
Jun 27, 2026 - 06:50 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor's products - including unpublished draft and pending listings - exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability ('dokan_view_product_menu' / 'dokandar'), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user.

AnalysisAI

Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enables horizontal privilege escalation across vendor accounts via the REST API 'id' parameter. Authenticated attackers holding any vendor-level or subscriber-level account can retrieve full product records belonging to competing vendors, including unpublished draft and pending-review listings that expose product names, prices, SKUs, and descriptions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as any vendor account
Delivery
Enumerate product IDs via REST API 'id' parameter
Exploit
Generic capability check passes without ownership validation
Execution
Retrieve draft and pending product records from competing vendors
Impact
Harvest unreleased product names, prices, and SKUs

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account on the target site with at minimum subscriber-level access, and specifically requires that the attacker hold the 'dokandar' or 'dokan_view_product_menu' capability - both of which are granted automatically to all registered vendor accounts in Dokan by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A registered vendor on a target Dokan-powered WooCommerce marketplace authenticates via their vendor account and sends HTTP GET requests to the Dokan REST API product endpoints, incrementing the 'id' parameter across a range of numeric values. Because the permission callback validates only the generic 'dokandar' capability present on all vendor accounts - not whether the product ID belongs to the requesting vendor - the API returns full product records for every valid ID, including draft listings of competing vendors that have not yet been published. …
Remediation A code fix has been committed to the dokan-lite repository per WordPress plugin Trac changeset revision 3578095 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3578095%40dokan-lite&new=3578095%40dokan-lite); however, the exact patched release version number is not confirmed in available data - users should upgrade to the latest available Dokan version from the WordPress plugin repository and verify that the installed version post-dates this changeset. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Dokan

View all
CVE-2024-3922 CRITICAL POC
10.0 Jun 13

The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and in

CVE-2022-3915 CRITICAL POC
9.8 Dec 12

The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL state

CVE-2026-24359 HIGH
8.8 Mar 25

An authentication bypass vulnerability exists in Dokan (Dokan, Inc.) dokan-lite plugin versions through 4.2.4 that allow

CVE-2026-49780 HIGH
8.8 Jun 15

Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer a

CVE-2020-36748 MEDIUM POC
4.3 Jul 01

The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. Rate

CVE-2023-26525 HIGH
7.1 Dec 20

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan - Bes

CVE-2026-57706 HIGH
7.1 Jul 13

Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and in

CVE-2026-11783 MEDIUM
6.4 Jun 27

Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through

CVE-2023-34382 MEDIUM
4.4 Dec 19

Deserialization of Untrusted Data vulnerability in weDevs Dokan - Best WooCommerce Multivendor Marketplace Solution - Bu

CVE-2026-10023 MEDIUM
4.3 Jun 18

Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allo

Share

EUVD-2026-39948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy