Description
Incorrect Privilege Assignment vulnerability in Dokan, Inc. Dokan dokan-lite allows Privilege Escalation.This issue affects Dokan: from n/a through <= 4.1.3.
Published: 2025-10-22
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect privilege assignment flaw in the Dokan dokan-lite plugin enables an attacker to gain elevated privileges on a WordPress site. The vulnerability allows a user with limited access to be promoted to a higher role, giving them full control of the plugin and potentially the entire site. This is a classic access‑control weakness categorized as CWE‑266.

Affected Systems

The flaw affects all Dokan dokan‑lite plugin installations up to and including version 4.1.3. Any WordPress site running Dokan dokan‑lite 4.1.3 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates a high likelihood of successful exploitation if the attacker can become a regular user. The EPSS score of less than 1% suggests that, so far, exploitation attempts are rare, and the vulnerability is not listed in the CISA KEV catalog. The most plausible attack vector is an authenticated user exploiting the misconfiguration to acquire additional roles; this may require the attacker to have access to the site via an existing account or to submit content that triggers the flaw.

Generated by OpenCVE AI on April 30, 2026 at 05:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Dokan dokan‑lite plugin to the latest available version (4.1.4 or later) to remove the privilege escalation flaw.
  • If an immediate upgrade is not possible, restrict the plugin’s access to trusted administrators by adjusting WordPress role settings and disabling any unused capabilities exposed by Dokan.
  • Audit the site’s user roles to identify and revoke any unexpected or elevated privileges that may have been granted by the plugin.
  • Monitor user activity for signs of privilege misuse and review plugin logs for anomalous actions.

Generated by OpenCVE AI on April 30, 2026 at 05:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Dokan, Inc. Dokan dokan-lite allows Privilege Escalation.This issue affects Dokan: from n/a through <= 4.1.2. Incorrect Privilege Assignment vulnerability in Dokan, Inc. Dokan dokan-lite allows Privilege Escalation.This issue affects Dokan: from n/a through <= 4.1.3.
Title WordPress Dokan plugin <= 4.1.2 - Privilege Escalation vulnerability WordPress Dokan plugin <= 4.1.3 - Privilege Escalation vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Dokan
Dokan dokan
Wordpress
Wordpress wordpress
Vendors & Products Dokan
Dokan dokan
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Dokan, Inc. Dokan dokan-lite allows Privilege Escalation.This issue affects Dokan: from n/a through <= 4.1.2.
Title WordPress Dokan plugin <= 4.1.2 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Dokan Dokan
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:24.832Z

Reserved: 2025-06-30T10:46:02.700Z

Link: CVE-2025-53425

cve-icon Vulnrichment

Updated: 2025-10-23T13:52:12.154Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:50.863

Modified: 2026-04-27T18:16:21.943

Link: CVE-2025-53425

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:45:16Z

Weaknesses