Vulnerabilities and security researches fordokan-lite dokan-lite
Direction: ascendingJun 07, 2024
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy # CVE-2022-3915
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 12, 2022
- Research Description
- The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users
- Affected versions
-
max 3.7.6.
- Status
-
vulnerable
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy # CVE-2020-36748
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 01, 2023
- Research Description
- The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. This is due to missing or incorrect nonce validation on the handle_order_export() function. This makes it possible for unauthenticated attackers to trigger an order export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 3.0.9.
- Status
-
vulnerable
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy # CVE-2023-34382
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 20, 2023
- Research Description
- Deserialization of Untrusted Data vulnerability in weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy.This issue affects Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: from n/a through 3.7.19.
- Affected versions
-
max 3.7.20.
- Status
-
vulnerable
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy # CVE-2022-3194
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 16, 2024
- Research Description
- The Dokan WordPress plugin before 3.6.4 allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators.
- Affected versions
-
max 3.6.6.
- Status
-
vulnerable
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy # bb2edab103d44b4649118b1f5c0304ff9cfa61cf
- CVE, Research URL
- Home page URL
- Application
- Date
- Mar 01, 2021
- Research Description
- Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy [dokan-lite] < 3.2.1 WordPress Dokan plugin <= 3.2.0 - Cross-Site Request Forgery (CSRF) vulnerability Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Dokan plugin (versions <= 3.2.0).
- Affected versions
-
max 3.2.1.
- Status
-
vulnerable
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy # CVE-2023-26525
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 20, 2023
- Research Description
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy.This issue affects Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: from n/a through 3.7.12.
- Affected versions
-
max 3.7.13.
- Status
-
vulnerable
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy # CVE-2021-4342
- CVE, Research URL
-
-
- Home page URL
- Application
- Date
- Jun 07, 2023
- Research Description
- Rejected reason: CVE split into individual CVE IDs for each software record.
- Affected versions
-
max 3.7.20.
- Status
-
vulnerable
Nov 10, 2025
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy # CVE-2025-53425
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 22, 2025
- Research Description
- Incorrect Privilege Assignment vulnerability in Dokan, Inc. Dokan dokan-lite allows Privilege Escalation.This issue affects Dokan: from n/a through <= 4.1.2.
- Affected versions
-
max 4.1.2.
- Status
-
vulnerable
Jan 28, 2026
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy # CVE-2025-14977
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 20, 2026
- Research Description
- The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts.
- Affected versions
-
max 4.2.5.
- Status
-
vulnerable
Apr 13, 2026
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy # CVE-2026-24359
- CVE, Research URL
- Home page URL
- Application
- Date
- Mar 25, 2026
- Research Description
- Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4.
- Affected versions
-
max 4.2.5.
- Status
-
vulnerable
May 03, 2026
Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy # CVE-2026-3504
- CVE, Research URL
- Home page URL
- Application
- Date
- May 02, 2026
- Research Description
- The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability.
- Affected versions
-
max 4.3.2.
- Status
-
vulnerable