PatchSiren cyber security CVE debrief
CVE-2026-11987 dokaninc CVE debrief
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4. This vulnerability allows authenticated attackers, with subscriber-level access and above, to read any other vendor's products, including unpublished draft and pending listings. The vulnerability exists due to missing validation on a user-controlled key in the 'id' parameter. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability, rather than confirming the requested author ID or product ownership matches the authenticated user.
- Vendor
- dokaninc
- Product
- Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-27
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-27
- Advisory updated
- 2026-06-29
Who should care
Website administrators using the Dokan Multivendor Marketplace Solution plugin for WordPress should be aware of this vulnerability and take immediate action to protect their sites. This vulnerability could allow attackers to access sensitive information about other vendors' products, potentially leading to data breaches or other security issues. Administrators of e-commerce platforms using this plugin should prioritize updating to a patched version.
Technical summary
The Dokan Multivendor Marketplace Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference (IDOR) attacks. This occurs because the plugin fails to properly validate user-controlled input in the 'id' parameter, allowing authenticated attackers with subscriber-level access or higher to read products belonging to other vendors. The vulnerability affects all versions up to and including 5.0.4. The issue arises from the permission callbacks used in the collection and single-item endpoints, which only check for the generic 'dokan_view_product_menu' or 'dokandar' capability, rather than verifying the requested product's author ID or ownership matches the authenticated user.
Defensive priority
High priority should be given to updating the Dokan Multivendor Marketplace Solution plugin to a version that addresses this vulnerability. Website administrators should also consider implementing additional security measures, such as monitoring for suspicious activity and restricting access to sensitive product information.
Recommended defensive actions
- Update the Dokan Multivendor Marketplace Solution plugin to the latest version.
- Implement additional security measures to monitor and restrict access to product information.
- Conduct a thorough review of the plugin's configuration and usage to identify potential vulnerabilities.
- Consider implementing a Web Application Firewall (WAF) to detect and prevent IDOR attacks.
- Regularly review and update the plugin to ensure it remains secure and up-to-date.
Evidence notes
The CVE-2026-11987 vulnerability was identified in the Dokan Multivendor Marketplace Solution plugin for WordPress. The vulnerability allows authenticated attackers to read other vendors' products due to insecure direct object referencing. The issue was reported by security researchers and is publicly documented in various sources, including the CVE record and NVD detail pages.
Official resources
This article is AI-assisted and based on the supplied source corpus.