This vulnerability arises from an insecure direct object reference in the Dokan plugin’s REST API endpoint /wp-json/dokan/v1/settings, where a user-controlled key is not validated. An authenticated user with customer-level or higher permissions can read or modify any vendor’s store settings, including payment information such as PayPal email, bank account numbers, routing numbers, IBAN, SWIFT, phone and address details. The attacker can change the PayPal email to a malicious address, enabling the marketplace to route payouts to the attacker’s account. This results in both disclosure of sensitive financial data and potential diversion of payments to an unauthorized account.

The vulnerability affects the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress in all releases up to and including version 4.2.4. The CMS context is WordPress, and the affected component is the Dokan REST API handling vendor settings.

The CVSS score of 8.1 indicates a high severity. The EPSS score of less than 1% suggests that widespread exploitation is currently unlikely, however the requirement for authenticated access means that attackers who compromise vendor credentials or create new accounts with sufficient permissions could exploit the flaw. The vulnerability is not listed in CISA's KEV catalog, so no public exploitation case has been reported yet. Given the potential for financial theft and broad access to sensitive information, it poses a significant risk to merchants and their customers. The likely attack path involves an attacker gaining legitimate vendor credentials or creating a vendor account, then calling the vulnerable REST endpoint to retrieve or alter another vendor’s configuration. The missing validation on the key parameter allows the attacker to specify any vendor ID, bypassing intended access controls. Overall, while exploitation probability is low at present, the high impact on money‑related data warrants immediate attention.