Skip to main content

Dokan EUVDEUVD-2026-43361

| CVE-2026-57706 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Reflected XSS is network-delivered with low complexity and no privileges but needs victim clicks (UI:R); script escaping into browser context gives S:C with low C/I, and availability impact does not realistically apply (A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:50 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan, Inc. Dokan dokan-lite allows Reflected XSS.This issue affects Dokan: from n/a through <= 5.0.6.

AnalysisAI

Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and including 5.0.6, lets a remote attacker inject script that executes in a victim's browser when they follow a crafted link. Reported by Patchstack (CWE-79) and rated CVSS 7.1, the scope-changed vector reflects that injected script runs in the user's authenticated WordPress session context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with XSS payload in Dokan parameter
Delivery
Deliver link to admin/vendor victim
Exploit
Victim clicks, server reflects payload unsanitized
Execution
Script executes in victim browser session
Impact
Steal session/perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires victim interaction: the target must click or otherwise load an attacker-crafted URL carrying the XSS payload in the vulnerable Dokan request parameter (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderate and internally consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the target WordPress site containing a malicious script payload in a vulnerable Dokan parameter and delivers it via email, chat, or a link on another site. When a logged-in administrator or vendor clicks the link, the reflected script executes in their browser under the site's origin, allowing session token theft, actions performed as the victim, or redirection. …
Remediation Upgrade the Dokan plugin to a fixed release newer than 5.0.6; the input data does not specify an exact patched version, so no vendor-released patch version is independently confirmed here - consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-5-0-6-cross-site-scripting-xss-vulnerability) and the plugin's WordPress.org changelog for the corrected version and update immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations for Dokan versions up to 5.0.6 and disable the plugin if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Dokan

View all
CVE-2024-3922 CRITICAL POC
10.0 Jun 13

The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and in

CVE-2022-3915 CRITICAL POC
9.8 Dec 12

The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL state

CVE-2026-24359 HIGH
8.8 Mar 25

An authentication bypass vulnerability exists in Dokan (Dokan, Inc.) dokan-lite plugin versions through 4.2.4 that allow

CVE-2026-49780 HIGH
8.8 Jun 15

Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer a

CVE-2020-36748 MEDIUM POC
4.3 Jul 01

The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. Rate

CVE-2023-26525 HIGH
7.1 Dec 20

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan - Bes

CVE-2026-11783 MEDIUM
6.4 Jun 27

Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through

CVE-2023-34382 MEDIUM
4.4 Dec 19

Deserialization of Untrusted Data vulnerability in weDevs Dokan - Best WooCommerce Multivendor Marketplace Solution - Bu

CVE-2026-11987 MEDIUM
4.3 Jun 27

Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enable

CVE-2026-10023 MEDIUM
4.3 Jun 18

Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allo

Share

EUVD-2026-43361 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy