Description
The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the `update_capabilities()` REST handler accepting arbitrary capability strings from the request body and passing them directly to WP_User::add_cap() with no allowlist validation, only verifying that the caller holds the dokandar capability. This makes it possible for authenticated attackers with a self-provisioned Vendor-level access and above, on sites with the Vendor Staff module enabled, to grant arbitrary WordPress capabilities, including administrator, to any vendor_staff account, leading to a full site takeover.
Published: 2026-07-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Dokan Pro plugin for WordPress contains an authenticated REST handler that allows an attacker to grant arbitrary WordPress capabilities. This flaw results from the update_capabilities() endpoint accepting any capability string from the request body and forwarding it directly to WP_User::add_cap() without proper allowlist validation. The weakness is classified as CWE-269, a privilege escalation flaw. As a consequence, a valid user with at least vendor-level access can elevate the privileges of any vendor_staff account to administrator, leading to a full site takeover.

Affected Systems

All installations of the Dokan Pro plugin from the original release up to and including version 5.0.4 are affected. The vulnerability is relevant for sites that have the Vendor Staff module enabled and where users can be authenticated and assigned the dokandar capability. All vendors listed under the wedevs:dokan pro CNA are impacted.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. Because the attack requires authentication and a minimum of vendor-level access, the potential impact is limited to sites with the Vendor Staff module, but the ability to grant administrator rights is critical. EPSS data is currently not available, and the flaw is not listed in the CISA KEV catalog. An attacker can exploit this by sending a crafted JSON payload to the update_capabilities REST endpoint after authenticating with a vendor-level account, causing arbitrary capability assignments without further checks.

Generated by OpenCVE AI on July 1, 2026 at 15:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dokan Pro to version 5.0.5 or later, which removes the unchecked capability parameter from the REST endpoint.
  • If an immediate upgrade is not possible, restrict vendor_staff accounts to the minimum necessary capabilities and audit capabilities for any vendor_staff users to ensure no unintended roles are granted.
  • Consider blocking or rate-limiting the /wp-json/dokan/v1/user/update-capabilities REST API via a web application firewall or by adding conditions in wp-config.php to prevent unauthorized capability modifications.

Generated by OpenCVE AI on July 1, 2026 at 15:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs dokan Pro
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs dokan Pro
Wordpress
Wordpress wordpress

Wed, 01 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the `update_capabilities()` REST handler accepting arbitrary capability strings from the request body and passing them directly to WP_User::add_cap() with no allowlist validation, only verifying that the caller holds the dokandar capability. This makes it possible for authenticated attackers with a self-provisioned Vendor-level access and above, on sites with the Vendor Staff module enabled, to grant arbitrary WordPress capabilities, including administrator, to any vendor_staff account, leading to a full site takeover.
Title Dokan Pro <= 5.0.4 - Authenticated (Vendor+) Privilege Escalation via update_capabilities REST Endpoint
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Wedevs Dokan Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T10:32:04.874Z

Reserved: 2026-06-14T14:48:41.497Z

Link: CVE-2026-12224

cve-icon Vulnrichment

Updated: 2026-07-01T10:30:43.424Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T15:15:04Z

Weaknesses
  • CWE-269

    Improper Privilege Management