CVE-2026-10023 dokaninc CVE debrief

Who should care

WooCommerce users, especially those using the Dokan Multivendor Marketplace Solution plugin, should be aware of this vulnerability. Site administrators and security teams should prioritize patching to prevent potential attacks.

Technical summary

The Dokan plugin is vulnerable to IDOR due to inadequate validation of order IDs in several AJAX handlers, including change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download. An attacker can exploit this by harvesting a valid nonce from their own order page and using it to manipulate other orders, as the nonce only verifies a logged-in session, not order ownership.

Defensive priority

High

Recommended defensive actions

• Update Dokan: AI Powered WooCommerce Multivendor Marketplace Solution to a version beyond 5.0.3
• Restrict access to sensitive AJAX handlers
• Implement additional logging and monitoring for order modifications
• Enforce strong authentication and authorization for vendor-level users
• Regularly review and update WordPress and plugin versions
• Consider using a Web Application Firewall (WAF) to detect and prevent IDOR attacks

Evidence notes

The vulnerability was discovered and reported by [email protected]. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1. The CVE record and NVD detail provide additional context.

Official resources