Description
Customer Privilege Escalation in Dokan <= 5.0.2 versions.
Published: 2026-06-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The documented vulnerability in the WordPress Dokan plugin version 5.0.2 and earlier permits a customer with standard user privileges to elevate their privileges within the WordPress environment. This privilege escalation flaw allows unauthorized users to assume elevated access, potentially enabling them to modify, delete, or create content and effectively take control of the store. The weakness is identified as an access control issue (CWE-266).

Affected Systems

Affected systems include installations of the Dokan plugin by Dokan, Inc. for WordPress. Specifically, all Dokan plugin versions 5.0.2 and below are impacted. This ranges across WordPress sites that have deployed the plugin without updating to at least 5.0.3, which implements the fix.

Risk and Exploitability

The CVSS score of 8.8 indicates a high impact vulnerability, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it appears the flaw requires an authenticated user with customer-level privileges to interact with the plugin, and the attacker can exploit the flaw by navigating to specific disabled functionality that improperly enforces role checks. The attack vector is inferred to be authenticated interaction with WordPress user session; remote exploitation is not explicitly documented. Consequently the risk exists for sites that have not applied the update and whose user accounts could be leveraged to gain elevated authority.

Generated by OpenCVE AI on June 18, 2026 at 00:24 UTC.

Remediation

Vendor Solution

Update the WordPress Dokan Plugin to the latest available version (at least 5.0.3).


OpenCVE Recommended Actions

  • Update the Dokan plugin to version 5.0.3 or newer.
  • If an immediate update is not possible, temporarily deactivate or remove the Dokan plugin until the patch is applied.
  • Review and restrict WordPress user role permissions for the Dokan plugin to the minimal set required to operate, preventing ordinary customers from invoking privileged actions.

Generated by OpenCVE AI on June 18, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Dokan, Inc.
Dokan, Inc. dokan
Wordpress
Wordpress wordpress
Vendors & Products Dokan, Inc.
Dokan, Inc. dokan
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Customer Privilege Escalation in Dokan <= 5.0.2 versions.
Title WordPress Dokan plugin <= 5.0.2 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Dokan, Inc. Dokan
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:17:36.373Z

Reserved: 2026-06-01T15:29:19.865Z

Link: CVE-2026-49780

cve-icon Vulnrichment

Updated: 2026-06-16T01:17:30.777Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:22.520

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49780

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:37Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment