[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuNs88pll507DoOH-aJ8hD0S7gakrK_ZTZH_hBIzrYEM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3504","dokan-ai-powered-woocommerce-multivendor-marketplace-solution-unauthenticated-information-disclosure-in-store-reviews-re","Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u003C= 4.3.1 - Unauthenticated Information Disclosure in Store Reviews REST API Endpoint","The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '\u002Fdokan\u002Fv1\u002Fstores\u002F{id}\u002Freviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability.","dokan-lite",null,"\u003C=4.3.1","4.3.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-05-01 00:00:00","2026-05-02 13:26:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F02b0d7d7-8a10-48de-b1e1-7e1f1fda6ffe?source=api-prod",2,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fdokan-pro-features.asset.php","assets\u002Fjs\u002Fdokan-pro-features.js","dokan-class.php","dokan.php","includes\u002FREST\u002FStoreController.php","languages\u002Fdokan-lite.pot","readme.txt","templates\u002Fwhats-new.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-3504\n\n## 1. Vulnerability Summary\nThe Dokan Multivendor Marketplace plugin (dokan-lite) up to version 4.3.1 is vulnerable to **Unauthenticated Information Disclosure** via the Store Reviews REST API. The vulnerability exists because the `prepare_reviews_for_response` method (and associated logic) fails to sanitize or exclude sensitive reviewer data—specifically email addresses, usernames, and user IDs—from the public API response. An unauthenticated attacker can query the reviews of any vendor store to harvest customer data.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fdokan\u002Fv1\u002Fstores\u002F(?P\u003Cid>[\\d]+)\u002Freviews`\n- **Method:** `GET` (Registered as `WP_REST_Server::READABLE`)\n- **Authentication:** None (Explicitly uses `'permission_callback' => '__return_true'` in `includes\u002FREST\u002FStoreController.php`).\n- **Parameter:** `id` (The numerical ID of the Vendor\u002FStore).\n- **Preconditions:** \n    - Dokan Pro must be installed and activated.\n    - The \"Store Reviews\" feature must be enabled.\n    - At least one customer must have left a review for the target vendor.\n\n## 3. Code Flow\n1. **Route Registration:** In `includes\u002FREST\u002FStoreController.php`, the `register_routes` method registers the reviews endpoint:\n   ```php\n   register_rest_route(\n       $this->namespace, '\u002F' . $this->base . '\u002F(?P\u003Cid>[\\d]+)\u002Freviews', [\n           'args' => [ 'id' => [ ... ] ],\n           [\n               'methods'             => WP_REST_Server::READABLE,\n               'callback'            => [ $this, 'get_store_reviews' ],\n               'args'                => $this->get_collection_params(),\n               'permission_callback' => '__return_true', \u002F\u002F Entry point is public\n           ],\n       ]\n   );\n   ```\n2. **Callback Execution:** When the endpoint is hit, `get_store_reviews($request)` is called.\n3. **Data Retrieval:** The method fetches reviews (which are stored as `comments` with a specific type, usually `dokan_store_review`).\n4. **Data Preparation (Sink):** For each review found, the controller calls a preparation method (referred to as `prepare_reviews_for_response` in the disclosure). This method maps the internal WordPress comment object to the API response array. \n5. **Disclosure:** The mapping includes fields like `author_email` or `reviewer_email`, `author_user_id`, and `author_name` directly from the user\u002Fcomment record without checking if the requester is an administrator.\n\n## 4. Nonce Acquisition Strategy\nAccording to `includes\u002FREST\u002FStoreController.php`, the `permission_callback` for the `GET` request is `__return_true`. \n\n**No nonce is required** for this exploitation because:\n1. It is a `GET` request.\n2. It is an unauthenticated \"Information Disclosure\" vulnerability.\n3. The REST API only requires the `_wpnonce` header\u002Fparameter if a session cookie is present (to prevent CSRF). For a \"naked\" unauthenticated request via the `http_request` tool, no nonce is needed.\n\n## 5. Exploitation Strategy\n1. **Identify Vendor ID:** Enumerate vendor IDs (typically starts at 1 or 2). This can be done by hitting `\u002Fwp-json\u002Fdokan\u002Fv1\u002Fstores` or checking the `\u002Fstore\u002Fvendor-name` URL on the frontend.\n2. **Send API Request:** Use the `http_request` tool to perform a GET request to the vulnerable endpoint.\n3. **Analyze Response:** Parse the JSON response and extract fields containing emails and usernames.\n\n**Request Template:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fdokan\u002Fv1\u002Fstores\u002F{{VENDOR_ID}}\u002Freviews`\n- **Method:** `GET`\n- **Headers:** \n    - `Accept: application\u002Fjson`\n\n## 6. Test Data Setup\n1. **Install Plugins:**\n   - Install `dokan-lite` version 4.3.1.\n   - Install and activate `dokan-pro` (required per vulnerability description).\n2. **Configure Dokan:**\n   - Complete the setup wizard.\n   - Ensure \"Store Reviews\" are enabled (Dokan > Settings > Selling Options > Enable Store Reviews).\n3. **Create Entities:**\n   - Create a Vendor user (e.g., `vendor_test`).\n   - Create a Customer user (e.g., `victim_customer` with email `victim@example.com`).\n4. **Generate Data:**\n   - Log in as `victim_customer`.\n   - Navigate to the Vendor's store page.\n   - Leave a store review (Note: This is a store review, not a product review).\n5. **Verify Vendor ID:** Run `wp user list --role=seller` to find the Vendor's ID.\n\n## 7. Expected Results\nA successful exploit will return a JSON array of objects. Each object representing a review will contain:\n- `id`: The review ID.\n- `author`: An object containing the customer's **username** and **user ID**.\n- `email` (or `author_email`): The customer's **cleartext email address**.\n- `content`: The text of the review.\n\nExample of vulnerable response fragment:\n```json\n[\n  {\n    \"id\": 45,\n    \"author\": {\n      \"id\": 12,\n      \"name\": \"victim_customer\",\n      \"url\": \"\"\n    },\n    \"author_email\": \"victim@example.com\",\n    \"content\": \"Great store!\",\n    ...\n  }\n]\n```\n\n## 8. Verification Steps\n1. **Confirm Output:** Verify that the email address returned in the JSON matches the email of the `victim_customer` created in step 6.\n2. **Unauthenticated Check:** Ensure the request was made without any `Cookie` or `Authorization` headers.\n3. **WP-CLI Cross-Check:**\n   ```bash\n   # Get the customer's actual email\n   wp user get victim_customer --field=user_email\n   # Compare with the one found in the API response\n   ```\n\n## 9. Alternative Approaches\nIf `\u002Fwp-json\u002Fdokan\u002Fv1\u002Fstores\u002F{id}\u002Freviews` is blocked or returns 404:\n- Try the Store collection endpoint first to ensure the Store ID is correct: `GET \u002Fwp-json\u002Fdokan\u002Fv1\u002Fstores`.\n- If the Pro version features are not enabled, the route might exist but return an empty set. Check Dokan settings via `wp option get dokan_selling` to ensure reviews are enabled.\n- Check if the reviews are held for moderation; if so, approve them via `wp comment list --status=hold` and `wp comment approve \u003Cid>`.","The Dokan plugin for WordPress discloses sensitive reviewer information including email addresses, usernames, and user IDs via the public '\u002Fdokan\u002Fv1\u002Fstores\u002F{id}\u002Freviews' REST API endpoint. Unauthenticated attackers can exploit this to harvest personal data of any customer who has left a review on a vendor's store.","\u002F* File: includes\u002FREST\u002FStoreController.php *\u002F\n\nregister_rest_route(\n    $this->namespace, '\u002F' . $this->base . '\u002F(?P\u003Cid>[\\d]+)\u002Freviews', [\n        'args' => [\n            'id' => [\n                'description' => __( 'Unique identifier for the object.', 'dokan-lite' ),\n                'type'        => 'integer',\n             ]\n        ],\n        [\n            'methods'             => WP_REST_Server::READABLE,\n            'callback'            => [ $this, 'get_store_reviews' ],\n            'args'                => $this->get_collection_params(),\n            'permission_callback' => '__return_true',\n        ],\n    ]\n);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F4.3.1\u002Fassets\u002Fjs\u002Fdokan-pro-features.asset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F4.3.2\u002Fassets\u002Fjs\u002Fdokan-pro-features.asset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F4.3.1\u002Fassets\u002Fjs\u002Fdokan-pro-features.asset.php\t2025-12-26 09:21:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F4.3.2\u002Fassets\u002Fjs\u002Fdokan-pro-features.asset.php\t2026-03-13 09:32:16.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('react', 'react-jsx-runtime', 'wp-dom-ready', 'wp-element', 'wp-i18n'), 'version' => '47a74642fd5f0e3f2824');\n+\u003C?php return array('dependencies' => array('react', 'react-jsx-runtime', 'wp-dom-ready', 'wp-element', 'wp-i18n'), 'version' => 'c8a2b996431c317b9846');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F4.3.1\u002Fassets\u002Fjs\u002Fdokan-pro-features.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F4.3.2\u002Fassets\u002Fjs\u002Fdokan-pro-features.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F4.3.1\u002Fassets\u002Fjs\u002Fdokan-pro-features.js\t2025-11-26 09:41:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdokan-lite\u002F4.3.2\u002Fassets\u002Fjs\u002Fdokan-pro-features.js\t2026-03-13 09:32:16.000000000 +0000\n@@ -1,2 +1,2 @@\n \u002F*! For license information please see dokan-pro-features.js.LICENSE.txt *\u002F\n-(()=>{\"use strict\";var e={n:t=>{var a=t&&t.__esModule?()=>t.default:()=>t;return e.d(a,{a}),a},d:(t,a)=>{for(var l in a)e.o(a,l)&&!e.o(t,l)&&Object.defineProperty(t,l,{enumerable:!0,get:a[l]})},o:(e,t)=>Object.prototype.hasOwnProperty.call(e,t)};const t=window.wp.domReady;var a,l,n,i,s,r,o,d,c,m,x,p,u,h,g,f,b,k,_,v,w,j,y,N,L,C,M,F,S,E,P,A,D,z,V=e.n(t);const H=dokanAdminDashboardSettings&&dokanAdminDashboardSettings[\"pro-features\"]?dokanAdminDashboardSettings[\"pro-features\"]:{} ... (truncated)","1. Identify the numerical Vendor ID of a target store (this can often be found by browsing the site's stores or querying the \u002Fdokan\u002Fv1\u002Fstores endpoint).\n2. Construct an unauthenticated GET request to the REST API endpoint: \u002Fwp-json\u002Fdokan\u002Fv1\u002Fstores\u002F{id}\u002Freviews.\n3. Send the request without any authentication headers or nonces.\n4. Examine the JSON response objects, which contain the 'author_email', 'author_name' (username), and 'author' (containing user ID) for every user who submitted a store review.","gemini-3-flash-preview","2026-05-04 17:37:57","2026-05-04 17:38:21",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.3.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags\u002F4.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdokan-lite.4.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags\u002F4.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdokan-lite.4.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-lite\u002Ftags"]