CVE-2022-3194 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the Dokan WordPress plugin versions prior to 3.6.4. Dokan is a multi-vendor marketplace plugin for WordPress, enabling vendors to sell products on a shared platform. The vulnerability arises because the plugin allows vendors to inject arbitrary JavaScript code into product reviews. Since these reviews are stored and subsequently rendered in the WordPress admin interface or on the front-end, malicious scripts can execute in the context of other users, including site administrators and customers. This stored XSS attack vector can lead to session hijacking, privilege escalation, defacement, or unauthorized actions performed on behalf of the victim user. The CVSS 3.1 base score is 5.4 (medium), reflecting that the attack requires low complexity and privileges (vendor-level access) but does require user interaction (viewing the malicious review). The vulnerability impacts confidentiality and integrity but not availability. No known exploits in the wild have been reported yet. The vulnerability was publicly disclosed in January 2024, with no official patch links provided in the source data, but the fixed version is 3.6.4 or later. The root cause is insufficient input sanitization and output encoding of user-generated content in product reviews, a common issue in web applications that handle rich user input.

For European organizations operating e-commerce platforms using WordPress with the Dokan plugin, this vulnerability poses a significant risk. Attackers with vendor accounts can inject malicious scripts that execute when administrators or other users view product reviews. This can lead to theft of administrative credentials, unauthorized changes to product listings or orders, and potential compromise of the entire WordPress site. Given the widespread use of WordPress in Europe and the popularity of Dokan for multi-vendor marketplaces, the vulnerability could facilitate targeted attacks on online retailers, especially those handling sensitive customer data or payment information. The compromise of administrative accounts could also lead to data breaches under GDPR regulations, resulting in legal and financial penalties. Additionally, reputational damage from defacement or customer data exposure could impact business continuity and trust. The medium severity indicates that while exploitation is not trivial, the impact on confidentiality and integrity is notable, especially in regulated sectors such as finance, healthcare, and retail prevalent across Europe.

European organizations should immediately verify their Dokan plugin version and upgrade to version 3.6.4 or later where the vulnerability is patched. If upgrading is not immediately possible, implement strict input validation and output encoding on product review fields to neutralize JavaScript code. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections in HTTP requests related to product reviews. Limit vendor privileges to only what is necessary and monitor vendor activity for unusual review submissions. Conduct regular security audits and penetration testing focused on user-generated content handling. Educate administrators to be cautious when reviewing vendor-submitted content and consider disabling HTML or script tags in reviews temporarily. Enable Content Security Policy (CSP) headers to restrict execution of inline scripts and reduce XSS impact. Finally, maintain comprehensive logging and alerting to detect exploitation attempts early.