CVE-2022-3915 in Dokan Plugin
Summary
by MITRE • 12/12/2022
The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/25/2026
The vulnerability identified as CVE-2022-3915 affects the Dokan WordPress plugin version 3.7.5 and earlier, representing a critical security flaw that undermines the integrity of WordPress-based e-commerce platforms. This issue stems from inadequate input validation and sanitization practices within the plugin's codebase, specifically targeting the handling of user-supplied parameters that are subsequently incorporated into database queries without proper escaping mechanisms. The vulnerability's classification as a SQL injection weakness places it squarely within the scope of common web application security risks that can lead to unauthorized data access and system compromise.
The technical implementation of this vulnerability occurs when the plugin processes certain parameters that are passed through HTTP requests without sufficient sanitization. These parameters are directly concatenated into SQL query strings, creating an environment where malicious actors can inject arbitrary SQL commands through crafted input. The flaw exists in the plugin's backend processing logic where user-controllable data enters the database interaction flow without proper validation or escaping. This allows unauthenticated attackers to exploit the vulnerability by crafting malicious requests that manipulate the SQL execution flow, potentially enabling them to extract sensitive information, modify database contents, or even escalate privileges within the affected WordPress installation.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with a pathway to gain unauthorized access to the underlying database infrastructure. Since the vulnerability is exploitable by unauthenticated users, it represents a significant risk to WordPress sites running vulnerable versions of the Dokan plugin, particularly those hosting e-commerce data or user information. The potential consequences include unauthorized access to customer data, product catalogs, order histories, and other sensitive business information. The vulnerability's exploitation does not require any authentication credentials, making it particularly dangerous as it can be leveraged by anyone who can access the affected WordPress site's frontend or backend interfaces.
Organizations affected by this vulnerability should prioritize immediate remediation through the upgrade to Dokan plugin version 3.7.6 or later, which incorporates proper parameter sanitization and escaping mechanisms. The fix addresses the root cause by implementing robust input validation and ensuring that all user-supplied parameters are properly escaped before being incorporated into SQL statements. Security professionals should also conduct comprehensive vulnerability assessments to identify any potential exploitation attempts that may have occurred prior to the patch deployment. The remediation process should include monitoring system logs for suspicious activities and verifying that the updated plugin functions correctly within the existing WordPress environment.
This vulnerability aligns with several industry security standards and frameworks, including the CWE 89 category for SQL Injection, which provides a standardized classification for such weaknesses in software development practices. The ATT&CK framework categorizes this vulnerability under the T1190 technique for Exploit Public-Facing Application, as it represents an attack vector that targets publicly accessible web applications. Additionally, the vulnerability demonstrates characteristics consistent with the Common Weakness Enumeration's emphasis on improper input validation and inadequate output escaping, both of which are fundamental security principles that should be implemented throughout the software development lifecycle to prevent such issues from occurring in the first place.