dokaninc Dokan Plugin up to 5.0.3 on WordPress AJAX /dashboard/orders authorization

Summaryinfo

A vulnerability has been found in dokaninc Dokan Plugin up to 5.0.3 on WordPress and classified as critical. This issue affects some unknown processing of the file /dashboard/orders of the component AJAX Handler. Performing a manipulation results in authorization. This vulnerability was named CVE-2026-10023. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as critical has been found in dokaninc Dokan Plugin up to 5.0.3 on WordPress. This affects an unknown part of the file /dashboard/orders of the component AJAX Handler. The manipulation with an unknown input leads to a authorization vulnerability. CWE is classifying the issue as CWE-639. The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor's own dashboard order pages (e.g., /dashboard/orders/?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID — the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that 'users cannot generate valid nonces on command': vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1.

The weakness was presented by Kirasec. It is possible to read the advisory at wordfence.com. This vulnerability is uniquely identified as CVE-2026-10023 since 05/28/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 5.0.1 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• WordPress Plugin

Vendor

• dokaninc

Name

• Dokan Plugin

Version

• 5.0.0
• 5.0.1
• 5.0.2
• 5.0.3

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion