Improper neutralization of user input when generating web pages allows an attacker to inject malicious scripts that are stored by the Dokan Pro plugin and subsequently served to other users. This violates the integrity and confidentiality of user sessions and enables phishing or credential theft, classified as CWE‑79. The vulnerability is a classical stored XSS flaw that can be triggered whenever data entered by a user is rendered without proper sanitization.

The flaw exists in the WordPress Dokan Pro plugin versions from any earlier release up through 3.14.5. WordPress sites that employ Dokan Pro for multi‑vendor e‑commerce environments are impacted. The affected code paths include the vendor’s content management interfaces that accept and persist comments, product descriptions, or other user‑generated content.

The CVSS score of 6.5 indicates moderate risk, while the EPSS score of < 1% suggests exploitation is currently unlikely but possible. The vulnerability is not yet listed in the CISA KEV catalog. A likely attacker would need to be able to submit content through the plugin’s input mechanisms; thus authenticated or privileged access to the content‑creation features is a prerequisite. Successful exploitation could result in persistent cross‑site scripting across all users who view the affected content.