An unauthenticated attacker can trigger the Dokan REST endpoint that returns all reviews for a vendor store and in the response the attacker receives reviewer email addresses, usernames, and user IDs. This information is not meant to be public, so the vulnerability constitutes Sensitive Information Exposure as defined by CWE‑200. The impact is that attackers can expose customer identities and potentially use the data for phishing or further attacks. The severity is moderate, reflected in the CVSS score of 5.3.

Dokan's AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is affected. The vulnerability exists in all releases up to and including version 4.3.1. The Pro edition must be installed and activated, and store reviews must be enabled, for the flaw to be exploitable. The issue is localized to the "/dokan/v1/stores/{id}/reviews" REST API endpoint. Users who rely on the Pro feature and have store reviews enabled are at risk.

The CVSS score of 5.3 indicates moderate overall risk. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, so no known mass exploitation evidence exists yet. The vulnerability can be exploited by making an unauthenticated HTTP GET request to the review endpoint. Because the request does not require authentication, an attacker can retrieve the entire review payload. The only prerequisite is that the Pro version is activated and reviews are enabled. Because the data exposed includes sensitive customer identifiers, the risk to confidentiality is high, but no direct denial of service or code execution occurs.