The Dokan AI Powered WooCommerce Multivendor Marketplace Solution for WordPress is vulnerable to a stored cross‑site scripting flaw because the Product SKU field is not sanitized or properly escaped before it is stored and later injected into the page via an AJAX response processed by jQuery's .html() method. An attacker who has custom‑level access or higher can embed malicious JavaScript into the SKU, and the payload is delivered to every site visitor, including unauthenticated users, when the store search widget renders the unescaped HTML. This allows arbitrary code execution in the victim’s browser, facilitating cookie theft, session hijack, defacement, or the execution of malicious redirects. The CVSS score of 6.4 indicates a moderate severity for this type of vulnerability.

All installations of the Dokan AI Powered WooCommerce Multivendor Marketplace Solution up to and including version 5.0.4 are impacted. The affected product is maintained by DokanInc and is commonly used to create custom marketplace storefronts on WordPress sites.

The vulnerability relies on an authenticated attack vector; an attacker must be able to edit a product SKU with custom‑level permissions or higher. Once the payload is stored, it is executed for any visitor who triggers the store search widget, making the impact widespread even if the attacker never logs in again. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog, suggesting that the public exploit landscape is currently limited. However, the moderate CVSS, coupled with the ability to affect all users, means that this flaw represents a notable risk for any site that has a non‑privileged user base exposed to the search functionality.