Description
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor's products — including unpublished draft and pending listings — exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability ('dokan_view_product_menu' / 'dokandar'), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user.
Published: 2026-06-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Dokan plugin for WordPress contains a flaw where an authenticated user can supply a product ID and retrieve information about any vendor’s products, including drafts and pending listings. The plugin checks only generic vendor capabilities and does not verify that the requested product belongs to the calling user, creating an Insecure Direct Object Reference that discloses product names, prices, SKUs and descriptions. This is identified as CWE‑639.

Affected Systems

The vulnerability affects all releases of the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin up to and including version 5.0.4. Users with subscriber-level access or higher, who hold the 'dokan_view_product_menu' or 'dokandar' capabilities, can exploit the flaw within the WordPress ecosystem.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity to confidentiality. Because the exploit requires authenticated access and the attacker must know a valid product ID, the overall exploitability is moderate. There is no EPSS data available, in the CISA KEV catalog. The path is limited to legitimate vendors, but leaking product data can damage competitive advantage and pricing strategies.

Generated by OpenCVE AI on June 27, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dokan plugin to the latest version available to eliminate the ID validation flaw.
  • If a patch is not yet available, restrict subscriber-level users from accessing product details via the REST endpoints, for example by removing or altering the 'dokan_view_product_menu' capability or adding a custom filter that enforces product ownership checks.
  • After applying any fix, test the plugin to confirm that product data is only returned to the owning vendor and monitor audit logs for any unauthorized access attempts.

Generated by OpenCVE AI on June 27, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L299 cve-icon
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L39 cve-icon
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L66 cve-icon
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L159 cve-icon
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L473 cve-icon
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L495 cve-icon
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L299 cve-icon
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L39 cve-icon
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L66 cve-icon
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L159 cve-icon
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L473 cve-icon
https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L495 cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3578095%40dokan-lite&new=3578095%40dokan-lite&sfp_email=&sfph_mail= cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/1359945a-cf4e-4883-830b-53a3fcd40e56?source=cve cve-icon
History

Mon, 29 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Dokaninc
Dokaninc dokan: Ai Powered Woocommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy
Wordpress
Wordpress wordpress
Vendors & Products Dokaninc
Dokaninc dokan: Ai Powered Woocommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy
Wordpress
Wordpress wordpress

Sat, 27 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor's products — including unpublished draft and pending listings — exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability ('dokan_view_product_menu' / 'dokandar'), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user.
Title Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Information Disclosure via 'id' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Dokaninc Dokan: Ai Powered Woocommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-29T19:02:43.047Z

Reserved: 2026-06-11T14:24:55.603Z

Link: CVE-2026-11987

cve-icon Vulnrichment

Updated: 2026-06-29T19:02:39.754Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T12:15:08Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key