CVE Catalog

CVE-2026-10023

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin is vulnerable to Insecure Direct Object Reference in all versions up to 5.0.3. The lack of ownership validation on the order ID key allows authenticated attackers to modify order statuses and add, delete, and modify order notes.

Risk Assessment

Attackers can manipulate orders, leading to serious security breaches, including sending fake shipping tracking information and unauthorized access to downloadable products. This poses a risk of losing customer trust and potential financial losses.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability. Additionally, implementing further ownership validation mechanisms in AJAX handlers is advisable.

Original NVD description (English source)

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor's own dashboard order pages (e.g., /dashboard/orders/?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID — the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that 'users cannot generate valid nonces on command': vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS