Impact
The Dokan Pro plugin for WordPress contains an authenticated REST handler that allows an attacker to grant arbitrary WordPress capabilities. This flaw results from the update_capabilities() endpoint accepting any capability string from the request body and forwarding it directly to WP_User::add_cap() without proper allowlist validation. The weakness is classified as CWE-269, a privilege escalation flaw. As a consequence, a valid user with at least vendor-level access can elevate the privileges of any vendor_staff account to administrator, leading to a full site takeover.
Affected Systems
All installations of the Dokan Pro plugin from the original release up to and including version 5.0.4 are affected. The vulnerability is relevant for sites that have the Vendor Staff module enabled and where users can be authenticated and assigned the dokandar capability. All vendors listed under the wedevs:dokan pro CNA are impacted.
Risk and Exploitability
The CVSS score of 8.8 indicates a high severity vulnerability. Because the attack requires authentication and a minimum of vendor-level access, the potential impact is limited to sites with the Vendor Staff module, but the ability to grant administrator rights is critical. EPSS data is currently not available, and the flaw is not listed in the CISA KEV catalog. An attacker can exploit this by sending a crafted JSON payload to the update_capabilities REST endpoint after authenticating with a vendor-level account, causing arbitrary capability assignments without further checks.
OpenCVE Enrichment