Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L reflects required vendor account; S:C captures script execution in victims' browsers outside the plugin's security context; no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Product SKU in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious payload is delivered to site visitors - including unauthenticated users - when the store search widget inserts the unescaped AJAX response HTML into the DOM via jQuery's .html() method.
AnalysisAI
Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold an authenticated WordPress account at 'custom-level' or above - in the Dokan context this corresponds to a vendor or seller role, which is the standard low-privilege role on a multivendor marketplace. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N carries several noteworthy signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a vendor account on the target marketplace (or compromises an existing vendor account) and creates or edits a product, inserting a JavaScript payload such as a cookie-stealing script into the Product SKU field. When any site visitor - including unauthenticated users - uses the store search widget, the front-end issues an AJAX request, receives the unescaped SKU in the HTML response, and jQuery's .html() method renders and executes the injected script in the visitor's browser, potentially exfiltrating session tokens or performing actions on the victim's behalf. … |
| Remediation | Update Dokan Lite to the version released after 5.0.4 containing changeset 3578095 from the WordPress plugin repository (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3578095%40dokan-lite&new=3578095%40dokan-lite); the exact patched release version is not independently confirmed from the available data beyond the changeset reference, so administrators should verify the installed version against the latest available in the WordPress plugin directory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and in
The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL state
An authentication bypass vulnerability exists in Dokan (Dokan, Inc.) dokan-lite plugin versions through 4.2.4 that allow
Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer a
The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. Rate
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan - Bes
Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and in
Deserialization of Untrusted Data vulnerability in weDevs Dokan - Best WooCommerce Multivendor Marketplace Solution - Bu
Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enable
Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allo
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39950
GHSA-wv47-9f7r-v6pj