Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Now
AI Analysis

Impact

An authentication bypass flaw exists in Dokan Lite versions through 4.2.4, classified as CWE‑288. The plugin allows an attacker to obtain access by using an alternate path or channel, bypassing normal authentication controls. This enables a user without valid credentials to perform actions that normally require a logged‑in session, potentially exposing sensitive data, enabling unauthorized administrative actions, and allowing the modification or disruption of site content.

Affected Systems

All releases of the Dokan Lite WordPress plugin up to version 4.2.4 are affected. Any WordPress installation that includes Dokan Lite with a version less than or equal to 4.2.4 is vulnerable. The product in question is Dokan Lite from Dokan, Inc.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity, while an EPSS probability of less than 1% suggests that exploitation is currently unlikely. The flaw is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely remote via the website’s request path; no local or privileged conditions are specified, so it is inferred that exploitation can occur from a remote location without requiring local access. An attacker could trigger the bypass by sending a crafted request to an alternate endpoint that the plugin does not properly protect, gaining authenticated privileges.

Generated by OpenCVE AI on March 26, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dokan Lite to version 4.2.5 or later to eliminate the authentication flaw
  • If an update is not yet available, disable or uninstall the Dokan Lite plugin until a patch is released
  • Verify that no unauthorized WordPress user accounts exist and remove any that were added without proper authorization
  • Apply general WordPress hardening: keep core, themes, and plugins updated; enforce strong passwords; limit login attempts; consider a web application firewall to guard against abnormal authentication attempts

Generated by OpenCVE AI on March 26, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Dokan
Dokan dokan
Wordpress
Wordpress wordpress
Vendors & Products Dokan
Dokan dokan
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4.
Title WordPress Dokan plugin <= 4.2.4 - Broken Authentication vulnerability
Weaknesses CWE-288
References

Subscriptions

Dokan Dokan
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T20:01:35.761Z

Reserved: 2026-01-22T14:42:24.567Z

Link: CVE-2026-24359

cve-icon Vulnrichment

Updated: 2026-03-26T19:55:37.768Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:36.840

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-24359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:31Z

Weaknesses