CVE Catalog

CVE-2026-12224

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via the update_capabilities REST Endpoint in all versions up to and including 5.0.4. The lack of allowlist validation allows authenticated attackers with Vendor-level access or higher, when the Vendor Staff module is enabled, to grant arbitrary WordPress capabilities, including administrator, to vendor_staff accounts, leading to full site takeover.

Risk Assessment

The organization risks complete loss of control over the WordPress site, as attackers can gain unrestricted administrative access and perform any actions, including content modification, data theft, or malware installation.

Recommendation

Immediately update the Dokan Pro plugin to the latest available version that includes a fix for this vulnerability. If an update is not available, temporarily disable the Vendor Staff module or restrict access to the REST endpoint for unauthorized users.

Original NVD description (English source)

The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the `update_capabilities()` REST handler accepting arbitrary capability strings from the request body and passing them directly to WP_User::add_cap() with no allowlist validation, only verifying that the caller holds the dokandar capability. This makes it possible for authenticated attackers with a self-provisioned Vendor-level access and above, on sites with the Vendor Staff module enabled, to grant arbitrary WordPress capabilities, including administrator, to any vendor_staff account, leading to a full site takeover.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS