Impact
The Dokan Pro plugin for WordPress is vulnerable to a time‑based SQL injection that targets the latitude and longitude parameters. Attackers can append arbitrary SQL statements to the existing query, allowing them to extract confidential data even without authentication. This flaw compromises the confidentiality of the system by giving unauthenticated users direct access to sensitive content.
Affected Systems
All WeDevs Dokan Pro installations running version 5.0.4 or earlier are affected. The vulnerability resides in the plugin’s handling of latitude and longitude parameters within WordPress, which can be accessed by unauthenticated visitors.
Risk and Exploitability
The CVSS base score of 7.5 indicates high severity with a significant impact on confidentiality. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, suggesting limited known exploitation. The likely attack vector involves sending crafted HTTP requests to the plugin’s endpoints that accept latitude and longitude values, potentially through the front‑end or API, without requiring authentication. Because the query is not properly escaped or prepared, the injection can be leveraged to retrieve sensitive data from the database.
OpenCVE Enrichment