Description
The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the via 'latitude' and 'longitude' parameters in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Dokan Pro plugin for WordPress is vulnerable to a time‑based SQL injection that targets the latitude and longitude parameters. Attackers can append arbitrary SQL statements to the existing query, allowing them to extract confidential data even without authentication. This flaw compromises the confidentiality of the system by giving unauthenticated users direct access to sensitive content.

Affected Systems

All WeDevs Dokan Pro installations running version 5.0.4 or earlier are affected. The vulnerability resides in the plugin’s handling of latitude and longitude parameters within WordPress, which can be accessed by unauthenticated visitors.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity with a significant impact on confidentiality. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, suggesting limited known exploitation. The likely attack vector involves sending crafted HTTP requests to the plugin’s endpoints that accept latitude and longitude values, potentially through the front‑end or API, without requiring authentication. Because the query is not properly escaped or prepared, the injection can be leveraged to retrieve sensitive data from the database.

Generated by OpenCVE AI on June 25, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dokan Pro to the latest version (5.0.5 or later) to remove the vulnerable code.
  • Disable or restrict any exposed plugin endpoints that accept latitude and longitude parameters to authenticated users only.
  • Implement strict input validation on latitude and longitude fields, ensuring only numeric values are accepted and employing prepared statements for any custom database interactions.

Generated by OpenCVE AI on June 25, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs dokan Pro
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs dokan Pro
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the via 'latitude' and 'longitude' parameters in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Dokan Pro <= 5.0.4 - Unauthenticated SQL Injection via 'latitude' and 'longitude' Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Wedevs Dokan Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-29T19:01:11.753Z

Reserved: 2026-06-12T12:08:50.996Z

Link: CVE-2026-12077

cve-icon Vulnrichment

Updated: 2026-06-29T19:00:48.600Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T09:15:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')