Dokan Pro
Monthly
Privilege escalation in the Dokan Pro WooCommerce multivendor plugin for WordPress (all versions through 5.0.4) allows an authenticated vendor-level attacker to grant themselves or a controlled vendor_staff account the WordPress administrator capability, resulting in full site takeover. The flaw stems from the update_capabilities() REST handler accepting arbitrary capability strings with no allowlist, only checking for the dokandar capability. No public exploit has been identified at time of analysis, and no EPSS or KEV signals were supplied; however, the issue is reported by Wordfence and exploitation is straightforward on sites where the Vendor Staff module is enabled and vendor self-registration is permitted.
SQL injection in the Dokan Pro WordPress multivendor marketplace plugin (all versions ≤ 5.0.4) lets unauthenticated remote attackers inject SQL through the 'latitude' and 'longitude' request parameters, enabling extraction of arbitrary database contents such as user credentials, API keys, and order data. The flaw is time-based (blind) and requires no authentication or user interaction, but no public exploit code or active exploitation has been identified at time of analysis. No EPSS or CISA KEV signal was provided in the source data.
Time-based blind SQL injection in the Dokan Pro WordPress plugin allows network-accessible authenticated attackers with Subscriber-level privileges to extract sensitive data from the underlying WordPress database. The flaw resides in the 'orderby' parameter, which is insufficiently escaped and passed into unparameterized SQL queries across all plugin versions through 5.0.4. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar - any registered subscriber - substantially widens the realistic attacker pool on marketplace and multi-vendor WordPress sites.
Privilege escalation in the Dokan Pro WooCommerce multivendor plugin for WordPress (all versions through 5.0.4) allows an authenticated vendor-level attacker to grant themselves or a controlled vendor_staff account the WordPress administrator capability, resulting in full site takeover. The flaw stems from the update_capabilities() REST handler accepting arbitrary capability strings with no allowlist, only checking for the dokandar capability. No public exploit has been identified at time of analysis, and no EPSS or KEV signals were supplied; however, the issue is reported by Wordfence and exploitation is straightforward on sites where the Vendor Staff module is enabled and vendor self-registration is permitted.
SQL injection in the Dokan Pro WordPress multivendor marketplace plugin (all versions ≤ 5.0.4) lets unauthenticated remote attackers inject SQL through the 'latitude' and 'longitude' request parameters, enabling extraction of arbitrary database contents such as user credentials, API keys, and order data. The flaw is time-based (blind) and requires no authentication or user interaction, but no public exploit code or active exploitation has been identified at time of analysis. No EPSS or CISA KEV signal was provided in the source data.
Time-based blind SQL injection in the Dokan Pro WordPress plugin allows network-accessible authenticated attackers with Subscriber-level privileges to extract sensitive data from the underlying WordPress database. The flaw resides in the 'orderby' parameter, which is insufficiently escaped and passed into unparameterized SQL queries across all plugin versions through 5.0.4. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar - any registered subscriber - substantially widens the realistic attacker pool on marketplace and multi-vendor WordPress sites.