Impact
The documented vulnerability in the WordPress Dokan plugin version 5.0.2 and earlier permits a customer with standard user privileges to elevate their privileges within the WordPress environment. This privilege escalation flaw allows unauthorized users to assume elevated access, potentially enabling them to modify, delete, or create content and effectively take control of the store. The weakness is identified as an access control issue (CWE-266).
Affected Systems
Affected systems include installations of the Dokan plugin by Dokan, Inc. for WordPress. Specifically, all Dokan plugin versions 5.0.2 and below are impacted. This ranges across WordPress sites that have deployed the plugin without updating to at least 5.0.3, which implements the fix.
Risk and Exploitability
The CVSS score of 8.8 indicates a high impact vulnerability, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it appears the flaw requires an authenticated user with customer-level privileges to interact with the plugin, and the attacker can exploit the flaw by navigating to specific disabled functionality that improperly enforces role checks. The attack vector is inferred to be authenticated interaction with WordPress user session; remote exploitation is not explicitly documented. Consequently the risk exists for sites that have not applied the update and whose user accounts could be leveraged to gain elevated authority.
OpenCVE Enrichment