Description
The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.5. This is due to the plugin not properly validating a user's identity prior to updating their password during a staff password reset. This makes it possible for authenticated attackers, with vendor-level access and above, to elevate their privilege to the level of a staff member and then change arbitrary user passwords, including those of administrators in order to gain access to their accounts. By default, the plugin allows customers to become vendors.
Published: 2025-08-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation (Authenticated)
Action: Immediate Patch
AI Analysis

Impact

The Dokan Pro plugin for WordPress contains a flaw that allows an authenticated user with vendor-level or higher access to take over the account of any user, including site administrators. The vulnerability arises from the plugin failing to validate the identity of the user when processing a staff password reset, enabling unauthorized privilege escalation. This flaw is classified under CWE‑269 (Missing Authentication).

Affected Systems

The affected product is the Dokan Pro plugin from wedevs, used within WordPress sites. Versions up to and including 4.0.5 are vulnerable. Administrators with vendor or higher roles can exploit the flaw, and by default the plugin permits customers to become vendors, potentially expanding the attack surface.

Risk and Exploitability

The severity score is CVSS 8.8, indicating high risk. The EPSS score is under 1%, so the likelihood of widespread exploitation is low at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, any authenticated attacker who has vendor or higher privileges can elevate their rights to staff level and reset the passwords of administrator accounts, potentially compromising the entire WordPress installation.

Generated by OpenCVE AI on April 20, 2026 at 21:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dokan Pro to a version newer than 4.0.5.
  • Limit staff password reset functionality to administrators only and remove vendor and customer roles from password reset permissions.
  • Enable two‑factor authentication for all administrator accounts to reduce the risk of credential theft.

Generated by OpenCVE AI on April 20, 2026 at 21:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25808 The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.5. This is due to the plugin not properly validating a user's identity prior to updating their password during a staff password reset. This makes it possible for authenticated attackers, with vendor-level access and above, to elevate their privilege to the level of a staff member and then change arbitrary user passwords, including those of administrators in order to gain access to their accounts. By default, the plugin allows customers to become vendors.
History

Wed, 27 Aug 2025 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs dokan
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs dokan
Wordpress
Wordpress wordpress

Tue, 26 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 Aug 2025 05:15:00 +0000

Type Values Removed Values Added
Description The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.5. This is due to the plugin not properly validating a user's identity prior to updating their password during a staff password reset. This makes it possible for authenticated attackers, with vendor-level access and above, to elevate their privilege to the level of a staff member and then change arbitrary user passwords, including those of administrators in order to gain access to their accounts. By default, the plugin allows customers to become vendors.
Title Dokan Pro <= 4.0.5 - Authenticated (Vendor+) Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wedevs Dokan
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:51.977Z

Reserved: 2025-06-09T14:52:15.433Z

Link: CVE-2025-5931

cve-icon Vulnrichment

Updated: 2025-08-26T15:40:14.730Z

cve-icon NVD

Status : Deferred

Published: 2025-08-26T05:15:32.453

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses