cleantalk
Vulnerabilities and Security Researches

Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy, CVE-2026-10023

CVE, Research URL

CVE-2026-10023

Home page URL

Security reports for Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Application

Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Published on
Jun 18, 2026
Research Description
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor's own dashboard order pages (e.g., /dashboard/orders/?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID — the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that 'users cannot generate valid nonces on command': vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1.
Affected versions
max 5.0.4.
Status
vulnerable
Previous vulnerability researches
Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7 (6d8910c719b2a132ec93828cd37e418b19cac960) , Jun 16, 2026
Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7 (9b1e2230b7886edf3c051cec5a5c91d89e19bc13) , Jun 16, 2026
Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7 (CVE-2022-4974) , Nov 15, 2024
Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7 (CVE-2023-33999) , Jun 13, 2026
Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7 (e24566f9bdab14b4b44a1c0befc6d678dd11428c) , Jun 06, 2024
New vulnerability
SMS Alert Order Notifications – WooCommerce (CVE-2026-54803) , Jun 19, 2026
SMS Alert Order Notifications – WooCommerce (CVE-2026-54802) , Jun 19, 2026
Webhook Automator & Form Integration to Automate 200+ Platforms – Bit Integrations (CVE-2026-11989) , Jun 19, 2026
Appointment Booking Calendar (CVE-2026-12111) , Jun 19, 2026
Melhor Envio (CVE-2026-54804) , Jun 19, 2026