Dokan
Monthly
Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and including 5.0.6, lets a remote attacker inject script that executes in a victim's browser when they follow a crafted link. Reported by Patchstack (CWE-79) and rated CVSS 7.1, the scope-changed vector reflects that injected script runs in the user's authenticated WordPress session context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation requires the target to click an attacker-supplied URL.
Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; however, the attack surface is wide on marketplaces with open vendor registration.
Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enables horizontal privilege escalation across vendor accounts via the REST API 'id' parameter. Authenticated attackers holding any vendor-level or subscriber-level account can retrieve full product records belonging to competing vendors, including unpublished draft and pending-review listings that expose product names, prices, SKUs, and descriptions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allows authenticated vendor-level users to manipulate arbitrary marketplace orders they do not own, in all versions up to and including 5.0.3. Affected operations include changing order status, injecting customer-facing notes that trigger WooCommerce notification emails to buyers, deleting any order note or WordPress comment by raw ID, inserting fraudulent shipping tracking data, and granting or revoking downloadable product access on any order in the installation. The nonce-based CSRF protection provides no ownership barrier because vendors legitimately generate valid nonces from their own dashboard pages and can replay them against any order ID - no public exploit identified at time of analysis, though vulnerable code paths are confirmed in source at version 5.0.1 by Wordfence.
Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer accounts to elevate their permissions within the multivendor marketplace, potentially gaining vendor or administrative capabilities. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
An authentication bypass vulnerability exists in Dokan (Dokan, Inc.) dokan-lite plugin versions through 4.2.4 that allows attackers to abuse authentication mechanisms via an alternate path or channel, potentially gaining unauthorized access without valid credentials. This issue affects the popular WordPress e-commerce plugin used by multivendor marketplace sites. The vulnerability has been identified by Patchstack and tracked under EUVD-2026-15555, though CVSS scoring and active exploitation data are not yet available.
The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 89.5%.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan - Best WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay,. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in weDevs Dokan - Best WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy.7.19. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.
The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and including 5.0.6, lets a remote attacker inject script that executes in a victim's browser when they follow a crafted link. Reported by Patchstack (CWE-79) and rated CVSS 7.1, the scope-changed vector reflects that injected script runs in the user's authenticated WordPress session context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation requires the target to click an attacker-supplied URL.
Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; however, the attack surface is wide on marketplaces with open vendor registration.
Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enables horizontal privilege escalation across vendor accounts via the REST API 'id' parameter. Authenticated attackers holding any vendor-level or subscriber-level account can retrieve full product records belonging to competing vendors, including unpublished draft and pending-review listings that expose product names, prices, SKUs, and descriptions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allows authenticated vendor-level users to manipulate arbitrary marketplace orders they do not own, in all versions up to and including 5.0.3. Affected operations include changing order status, injecting customer-facing notes that trigger WooCommerce notification emails to buyers, deleting any order note or WordPress comment by raw ID, inserting fraudulent shipping tracking data, and granting or revoking downloadable product access on any order in the installation. The nonce-based CSRF protection provides no ownership barrier because vendors legitimately generate valid nonces from their own dashboard pages and can replay them against any order ID - no public exploit identified at time of analysis, though vulnerable code paths are confirmed in source at version 5.0.1 by Wordfence.
Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer accounts to elevate their permissions within the multivendor marketplace, potentially gaining vendor or administrative capabilities. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
An authentication bypass vulnerability exists in Dokan (Dokan, Inc.) dokan-lite plugin versions through 4.2.4 that allows attackers to abuse authentication mechanisms via an alternate path or channel, potentially gaining unauthorized access without valid credentials. This issue affects the popular WordPress e-commerce plugin used by multivendor marketplace sites. The vulnerability has been identified by Patchstack and tracked under EUVD-2026-15555, though CVSS scoring and active exploitation data are not yet available.
The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 89.5%.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan - Best WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay,. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in weDevs Dokan - Best WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy.7.19. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.
The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.