CVE-2026-11987 in Dokan Plugin
Summary
by MITRE • 06/27/2026
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor's products — including unpublished draft and pending listings — exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability ('dokan_view_product_menu' / 'dokandar'), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/27/2026
The Dokan WooCommerce marketplace plugin presents a critical insecure direct object reference vulnerability that undermines the security boundaries between vendor accounts within the multivendor ecosystem. This flaw affects all versions up to and including 5.0.4, creating a fundamental access control weakness where authenticated users with subscriber-level privileges or higher can bypass normal permission checks to access other vendors' product data. The vulnerability stems from inadequate input validation on the 'id' parameter, which serves as a direct reference to database objects without proper authorization verification.
The technical implementation of this vulnerability occurs at the API endpoint level where both collection and single-item endpoints rely solely on generic vendor capabilities rather than implementing proper ownership verification mechanisms. Specifically, the permission callbacks validate against 'dokan_view_product_menu' or 'dokandar' roles that are universally granted to all vendors within the system, eliminating any distinction between a user's own products and those belonging to other vendors. This design flaw allows malicious actors to manipulate the id parameter to request products from different vendor accounts, effectively breaking the isolation that should exist between separate merchant listings.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass complete data exposure across the marketplace platform. Authenticated attackers can access unpublished draft products, pending listings, and sensitive commercial information including product names, pricing structures, stock keeping units, and detailed descriptions that belong to competing vendors. This exposure creates significant competitive risks and potential financial losses for merchants who rely on Dokan's platform for their business operations, while also violating standard security principles of least privilege and data segmentation that are fundamental to secure multi-tenant applications.
This vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic example of insufficient authorization checks in web applications. The flaw demonstrates poor adherence to the principle of least privilege as defined by NIST SP 800-53, where users should only have access to resources they are explicitly authorized to view. From an attack framework perspective, this vulnerability maps to ATT&CK technique T1078 (Valid Accounts) and T1213 (Data from Information Repositories), as it allows attackers to leverage legitimate user credentials to access restricted data repositories. The remediation approach should focus on implementing proper object ownership verification through parameter validation that confirms the requesting user's authorization to access specific product records, rather than relying on generic role-based permissions.
The security implications of this vulnerability extend to compliance requirements under various regulatory frameworks including PCI DSS and GDPR, where unauthorized access to commercial data can result in significant penalties. Organizations using Dokan must implement immediate mitigations including patching to versions with proper authorization controls, implementing additional monitoring for unusual API access patterns, and potentially adding rate limiting or anomaly detection mechanisms to identify potential exploitation attempts. The vulnerability highlights the critical importance of validating all user inputs at the application level and implementing robust ownership verification mechanisms in multi-user systems where data isolation is paramount to maintaining platform integrity and user trust.