Description
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor's own dashboard order pages (e.g., /dashboard/orders/?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID — the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that 'users cannot generate valid nonces on command': vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1.
Published: 2026-06-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insecure direct object reference that occurs in multiple Dokan AJAX handlers. The handlers lack proper ownership validation and the nonce included in the requests only confirms a logged-in session, not ownership of the order. An authenticated vendor with Custom+ access can therefore manipulate any order: change its status, add actionable or customer‑visible notes, delete any note or comment, inject shipping tracking information, and grant or revoke download permissions. These modifications can trigger WooCommerce notification emails that reach customers, potentially causing confusion or financial impact.

Affected Systems

The affected product is the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress, versions up to and including 5.0.3. Only installations running a vendor (Custom+) role, who can access the dashboard order pages, are susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path is at the vendor’s dashboard: the attacker logs in, harvests a nonce from their own order page, then submits an AJAX request replaying that nonce against a victim order ID. No additional privileges or code execution are required. The impact is limited to data integrity and potential customer communication issues, not remote code execution.

Generated by OpenCVE AI on June 18, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dokan plugin to a version where the IDOR is fixed (≥5.0.4 if available).
  • If an immediate upgrade is not possible, limit Custom+ vendor roles so that their order‑related AJAX calls validate that the order_id belongs to the logged‑in vendor.
  • Implement monitoring of order status changes to detect unauthorized modifications and investigate any anomalies promptly.

Generated by OpenCVE AI on June 18, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Dokaninc
Dokaninc dokan: Ai Powered Woocommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy
Wordpress
Wordpress wordpress
Vendors & Products Dokaninc
Dokaninc dokan: Ai Powered Woocommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor's own dashboard order pages (e.g., /dashboard/orders/?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID — the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that 'users cannot generate valid nonces on command': vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1.
Title Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification via Multiple AJAX Handlers
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Dokaninc Dokan: Ai Powered Woocommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T13:53:45.913Z

Reserved: 2026-05-28T17:28:38.977Z

Link: CVE-2026-10023

cve-icon Vulnrichment

Updated: 2026-06-18T13:22:22.014Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:00:11Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key