Skip to main content

Dokan EUVDEUVD-2026-39950

| CVE-2026-11783 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-27 Wordfence GHSA-wv47-9f7r-v6pj
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

PR:L reflects required vendor account; S:C captures script execution in victims' browsers outside the plugin's security context; no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 07:54 vuln.today
CVE Published
Jun 27, 2026 - 06:50 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Product SKU in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious payload is delivered to site visitors - including unauthenticated users - when the store search widget inserts the unescaped AJAX response HTML into the DOM via jQuery's .html() method.

AnalysisAI

Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Register or compromise vendor account
Delivery
Inject JavaScript payload into Product SKU field
Exploit
Victim loads page with store search widget
Install
Widget issues AJAX request fetching product data
C2
Server returns unescaped SKU in HTML response
Execute
jQuery .html() executes payload in victim browser
Impact
Attacker harvests session tokens or performs DOM-based actions

Vulnerability AssessmentAI

Exploitation The attacker must hold an authenticated WordPress account at 'custom-level' or above - in the Dokan context this corresponds to a vendor or seller role, which is the standard low-privilege role on a multivendor marketplace. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N carries several noteworthy signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a vendor account on the target marketplace (or compromises an existing vendor account) and creates or edits a product, inserting a JavaScript payload such as a cookie-stealing script into the Product SKU field. When any site visitor - including unauthenticated users - uses the store search widget, the front-end issues an AJAX request, receives the unescaped SKU in the HTML response, and jQuery's .html() method renders and executes the injected script in the visitor's browser, potentially exfiltrating session tokens or performing actions on the victim's behalf. …
Remediation Update Dokan Lite to the version released after 5.0.4 containing changeset 3578095 from the WordPress plugin repository (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3578095%40dokan-lite&new=3578095%40dokan-lite); the exact patched release version is not independently confirmed from the available data beyond the changeset reference, so administrators should verify the installed version against the latest available in the WordPress plugin directory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Dokan

View all
CVE-2024-3922 CRITICAL POC
10.0 Jun 13

The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and in

CVE-2022-3915 CRITICAL POC
9.8 Dec 12

The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL state

CVE-2026-24359 HIGH
8.8 Mar 25

An authentication bypass vulnerability exists in Dokan (Dokan, Inc.) dokan-lite plugin versions through 4.2.4 that allow

CVE-2026-49780 HIGH
8.8 Jun 15

Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer a

CVE-2020-36748 MEDIUM POC
4.3 Jul 01

The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. Rate

CVE-2023-26525 HIGH
7.1 Dec 20

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan - Bes

CVE-2026-57706 HIGH
7.1 Jul 13

Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and in

CVE-2023-34382 MEDIUM
4.4 Dec 19

Deserialization of Untrusted Data vulnerability in weDevs Dokan - Best WooCommerce Multivendor Marketplace Solution - Bu

CVE-2026-11987 MEDIUM
4.3 Jun 27

Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enable

CVE-2026-10023 MEDIUM
4.3 Jun 18

Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allo

Share

EUVD-2026-39950 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy