CVE-2026-12224
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via the update_capabilities REST Endpoint in all versions up to and including 5.0.4. The lack of allowlist validation allows authenticated attackers with Vendor-level access or higher, when the Vendor Staff module is enabled, to grant arbitrary WordPress capabilities, including administrator, to vendor_staff accounts, leading to full site takeover.
Risk Assessment
The organization risks complete loss of control over the WordPress site, as attackers can gain unrestricted administrative access and perform any actions, including content modification, data theft, or malware installation.
Recommendation
Immediately update the Dokan Pro plugin to the latest available version that includes a fix for this vulnerability. If an update is not available, temporarily disable the Vendor Staff module or restrict access to the REST endpoint for unauthorized users.
Original NVD description (English source)
The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the `update_capabilities()` REST handler accepting arbitrary capability strings from the request body and passing them directly to WP_User::add_cap() with no allowlist validation, only verifying that the caller holds the dokandar capability. This makes it possible for authenticated attackers with a self-provisioned Vendor-level access and above, on sites with the Vendor Staff module enabled, to grant arbitrary WordPress capabilities, including administrator, to any vendor_staff account, leading to a full site takeover.

