[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3FlxFyZbpE4X_Yvs7UTkKBl5M3bIgCDi9QVRJaH3Vss":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-10023","dokan-ai-powered-woocommerce-multivendor-marketplace-solution-insecure-direct-object-reference-to-authenticated-custom-a","Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u003C= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification via Multiple AJAX Handlers","The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor's own dashboard order pages (e.g., \u002Fdashboard\u002Forders\u002F?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID — the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that 'users cannot generate valid nonces on command': vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1.","dokan-lite",null,"\u003C=5.0.3","5.0.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-06-17 14:54:38","2026-06-18 03:41:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F998e545c-2ad5-48ec-bad1-d346170af408?source=api-prod",1,[22,23,24,25,26,27,28,29],".wp-env.json","assets\u002Fcss\u002Fdokan-admin-dashboard.css","assets\u002Fcss\u002Fdokan-tailwind.css","assets\u002Fcss\u002Ffrontend.css","assets\u002Fjs\u002Fdokan-admin-dashboard-rtl.css","assets\u002Fjs\u002Fdokan-admin-dashboard.asset.php","assets\u002Fjs\u002Fdokan-admin-dashboard.css","assets\u002Fjs\u002Fdokan-admin-dashboard.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-10023\n\n## 1. Vulnerability Summary\n**CVE-2026-10023** is a critical Insecure Direct Object Reference (IDOR) vulnerability in the **Dokan: AI Powered WooCommerce Multivendor Marketplace Solution** plugin (dokan-lite) up to version 5.0.3. \n\nThe vulnerability exists in several AJAX handlers that manage order data. These handlers verify a WordPress nonce to ensure the request is part of a valid user session but fail to perform an **ownership check** to verify if the requesting vendor actually owns the order associated with the provided `order_id`. Because WordPress nonces for a specific action are consistent for a user's session regardless of the specific object (order) being viewed, a vendor can generate a valid nonce on their own order dashboard and \"replay\" it in a request targeting an order ID belonging to a different vendor.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **AJAX Actions (Inferred from description):**\n    *   `dokan_change_order_status`\n    *   `dokan_add_order_note`\n    *   `dokan_delete_order_note`\n    *   `dokan_add_shipping_tracking_info`\n    *   `dokan_grant_access_to_download`\n    *   `dokan_revoke_access_to_download`\n*   **Payload Parameter:** `order_id` (The target order ID) and accompanying data (e.g., `order_status`, `note`, `tracking_number`).\n*   **Authentication Required:** Authenticated user with **Vendor** (or higher) capabilities.\n*   **Preconditions:** The attacker must have at least one order of their own (or access to the vendor dashboard) to generate the required nonce.\n\n## 3. Code Flow (Inferred)\n1.  **Entry:** The vendor sends a POST request to `admin-ajax.php` with an action like `dokan_change_order_status`.\n2.  **Nonce Verification:** The handler calls `check_ajax_referer( 'dokan_reviews_nonce', 'security' )` (or a similar nonce check). This succeeds because the attacker provides a nonce they legitimately generated on their own dashboard.\n3.  **Missing Authorization:** The code retrieves the `order_id` from `$_POST`.\n4.  **Action Execution:** The code proceeds to call WooCommerce functions like `$order->update_status()` or `$order->add_order_note()` directly using the user-provided `order_id` **without** checking if `get_current_user_id() === $order->get_meta('_dokan_vendor_id')`.\n5.  **Sink:** The database is updated, or an email notification is triggered to the customer of the victim vendor.\n\n## 4. Nonce Acquisition Strategy\nDokan localizes its dashboard data into a global JavaScript object. To exploit this, the attacker needs the nonce used for order actions.\n\n1.  **Identify Shortcode:** The Dokan dashboard is usually rendered via the `[dokan-dashboard]` shortcode on a specific page (commonly the `\u002Fdashboard\u002F` slug).\n2.  **Create\u002FAccess Vendor Dashboard:** \n    *   The agent should ensure a Vendor user is created and a dashboard page exists:\n        `wp post create --post_type=page --post_title=\"Dashboard\" --post_status=publish --post_content='[dokan-dashboard]'`\n3.  **Navigate and Extract:**\n    *   Navigate to the orders section of the dashboard: `\u002Fdashboard\u002Forders\u002F`.\n    *   Use `browser_eval` to extract the security nonce from the localized JS object.\n    *   **Inferred JS Variable:** `window.dokan?.nonce` or `window.dokan?.order_nonce`. \n    *   *Note:* Dokan often uses the key `_wpnonce` or `security` in the AJAX payload.\n\n## 5. Exploitation Strategy\nThis plan focuses on `dokan_change_order_status` as the primary PoC.\n\n### Step 1: Target Identification\nThe attacker identifies a victim `order_id` (e.g., by incrementing their own Order IDs or through other reconnaissance).\n\n### Step 2: Payload Construction\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=dokan_change_order_status&order_id=[VICTIM_ORDER_ID]&order_status=completed&security=[ATTACKER_NONCE]\n    ```\n\n### Step 3: Triggering Note Injection (Alternative)\nTo demonstrate higher impact (Social Engineering\u002FPhishing via Customer Emails):\n*   **Body:**\n    ```\n    action=dokan_add_order_note&order_id=[VICTIM_ORDER_ID]&note=Your+order+requires+verification.+Visit+http:\u002F\u002Fattacker.com\u002F&note_type=customer&security=[ATTACKER_NONCE]\n    ```\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `woocommerce` and `dokan-lite` (\u003C= 5.0.3) are active.\n2.  **Configure Dokan:** Enable \"Vendor can update order status\" in Dokan settings if necessary (usually default).\n3.  **Users:**\n    *   `vendor_victim`: A vendor user.\n    *   `vendor_attacker`: A vendor user.\n    *   `customer_user`: A standard customer.\n4.  **Orders:**\n    *   Create a product for `vendor_victim`.\n    *   As `customer_user`, purchase the victim's product. Let's assume this creates **Order #100**.\n    *   Create a product for `vendor_attacker`.\n    *   As `customer_user`, purchase the attacker's product. Let's assume this creates **Order #101**.\n\n## 7. Expected Results\n*   **Success Response:** The AJAX handler will typically return a JSON success message or `1`.\n*   **System State Change:** Order #100 (which belongs to `vendor_victim`) will have its status changed to `completed` despite the request being made by `vendor_attacker`.\n*   **Notification:** The `customer_user` may receive a \"Your order is complete\" email from WooCommerce for an order the victim vendor has not yet fulfilled.\n\n## 8. Verification Steps\nAfter sending the `http_request`, verify the impact via WP-CLI:\n\n1.  **Check Order Status:**\n    `wp wc order get 100 --field=status`\n    *Expected: \"completed\"*\n2.  **Check Order Notes (if note injection tested):**\n    `wp wc order_note list 100 --fields=note`\n    *Expected: Contains the attacker's malicious string.*\n\n## 9. Alternative Approaches\nIf `dokan_change_order_status` requires specific parameters not found in the initial trace:\n*   **Try `dokan_add_shipping_tracking_info`**:\n    *   Params: `order_id=[VICTIM_ID]`, `tracking_number=FAKE123`, `shipping_provider=Other`, `security=[NONCE]`.\n    *   This is high impact as it affects customer trust and fulfillment tracking.\n*   **Try `dokan_delete_order_note`**:\n    *   Params: `order_id=[VICTIM_ID]`, `note_id=[NOTE_ID]`, `security=[NONCE]`.\n    *   Requires identifying a `note_id` (which are just WordPress comment IDs).","The Dokan plugin is vulnerable to Insecure Direct Object Reference (IDOR) via several AJAX handlers (e.g., change_order_status, add_order_note) due to a lack of ownership validation on the order ID. Authenticated vendors can exploit this by harvesting a valid session nonce from their own dashboard and replaying it in requests against orders belonging to other vendors to modify statuses or inject notes.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F5.0.3\u002Fassets\u002Fcss\u002Fdokan-admin-dashboard.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F5.0.4\u002Fassets\u002Fcss\u002Fdokan-admin-dashboard.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F5.0.3\u002Fassets\u002Fcss\u002Fdokan-admin-dashboard.css\t2026-04-28 13:01:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F5.0.4\u002Fassets\u002Fcss\u002Fdokan-admin-dashboard.css\t2026-06-08 11:00:08.000000000 +0000\n@@ -1,4 +1,4 @@\n-.dokan-withdraw-style-reset button:focus,.dokan-withdraw-style-reset .menu-toggle:hover,.dokan-withdraw-style-reset button:hover,.dokan-withdraw-style-reset .button:hover,.dokan-withdraw-style-reset .ast-custom-button:hover,.dokan-withdraw-style-reset input[type=reset]:hover,.dokan-withdraw-style-reset input[type=reset]:focus,.dokan-withdraw-style-reset input#submit:hover,.dokan-withdraw-style-reset input#submit:focus,.dokan-withdraw-style-reset input[type=button]:hover,.dokan-withdraw-style-reset input[type=button]:focus,.dokan-withdraw-style-reset input[type=submit]:hover,.dokan-withdraw-style-reset input[type=submit]:focus{background-color:var(--dokan-button-hover-color, #7047EB);border-color:var(--dokan-button-hover-background-color, #7047EB)}.dokan-withdraw-style-reset button{box-shadow:none;border:none}.dokan-withdraw-style-reset input{border:none}.dokan-withdraw-style-reset table,.dokan-withdraw-style-reset th,.dokan-withdraw-style-reset td{margin:0;padding:0;border:0;border-spacing:0;border-collapse:collapse;font-size:inherit;font-weight:inherit;text-align:inherit;vertical-align:inherit;box-sizing:border-box}.dokan-withdraw-style-reset input[type=text][role=combobox]{height:fit-content}.dokan-withdraw-style-reset .border{border-style:solid;border-width:1px}.dokan-withdraw-style-reset .border-b{border-bottom-width:1px;border-bottom-style:solid}\n+.dokan-withdraw-style-reset button:focus,.dokan-withdraw-style-reset .menu-toggle:hover,.dokan-withdraw-style-reset button:hover,.dokan-withdraw-style-reset .button:hover,.dokan-withdraw-style-reset .ast-custom-button:hover,.dokan-withdraw-style-reset input[type=reset]:hover,.dokan-withdraw-style-reset input[type=reset]:focus,.dokan-withdraw-style-reset input#submit:hover,.dokan-withdraw-style-reset input#submit:focus,.dokan-withdraw-style-reset input[type=button]:hover,.dokan-withdraw-style-reset input[type=button]:focus,.dokan-withdraw-style-reset input[type=submit]:hover,.dokan-withdraw-style-reset input[type=submit]:focus{background-color:var(--dokan-button-hover-color, #7047EB);border-color:var(--dokan-button-hover-background-color, #7047EB)}.dokan-withdraw-style-reset button{box-shadow:none;border:none}.dokan-withdraw-style-reset input{border:none}.dokan-withdraw-style-reset table,.dokan-withdraw-style-reset th,.dokan-withdraw-style-reset td{margin:0;padding:0;border:0;border-spacing:0;border-collapse:collapse;font-size:inherit;font-weight:inherit;text-align:inherit;vertical-align:inherit;box-sizing:border-box}.dokan-withdraw-style-reset input[type=text][role=combobox]{height:fit-content}.dokan-withdraw-style-reset .border{border-style:solid;border-width:1px}.dokan-withdraw-style-reset .border-b{border-bottom-width:1px;border-bottom-style:solid}body:has(.dokan-withdraw-wrapper) .dokan-toaster{z-index:100001 !important}","To exploit this vulnerability, an attacker must have Vendor-level authentication. 1. The attacker logs into their vendor account and navigates to their own order dashboard (e.g., \u002Fdashboard\u002Forders\u002F) to obtain a valid security nonce for order actions from the localized JavaScript object (e.g., dokan.nonce). 2. The attacker identifies a target victim order ID (e.g., by enumerating IDs or using OSINT). 3. The attacker sends a POST request to wp-admin\u002Fadmin-ajax.php with an action such as 'dokan_change_order_status' or 'dokan_add_order_note'. 4. The payload includes the target 'order_id' and the valid nonce they harvested. 5. Since the backend verifies only that the nonce is valid for the user's session and not that the user owns the specific order ID, the server processes the requested modification (e.g., changing status to 'completed' or adding a phishing note) on the victim's order.","gemini-3-flash-preview","2026-06-25 22:07:59","2026-06-25 22:08:53",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","5.0.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags\u002F5.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdokan-lite.5.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags\u002F5.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdokan-lite.5.0.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags"]