CVE-2025-12809 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Dokan Pro plugin for WordPress, a popular multi-vendor marketplace solution. The flaw exists in the REST API endpoint /dokan/v1/wholesale/register, which lacks proper capability checks to verify if the requester is authorized to access user data. As a result, unauthenticated attackers can query this endpoint with a user ID and retrieve sensitive user information including email addresses, usernames, display names, user roles, and registration dates. This unauthorized data exposure can facilitate user enumeration attacks and privacy violations. The vulnerability affects all versions of Dokan Pro up to and including 4.1.3. The CVSS 3.1 base score is 5.3, reflecting a medium severity due to the ease of exploitation (no authentication or user interaction required) but limited impact to confidentiality only, with no integrity or availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations relying on Dokan Pro for their e-commerce platforms, especially those with large user bases. The missing authorization check is a critical security oversight that should be addressed promptly.

The primary impact of this vulnerability is unauthorized disclosure of user information, which compromises confidentiality. Attackers can enumerate users and harvest email addresses and other personal details, enabling targeted phishing, social engineering, or further attacks against users or the organization. While the vulnerability does not affect data integrity or system availability, the exposure of personally identifiable information (PII) can lead to reputational damage, regulatory non-compliance (e.g., GDPR), and loss of customer trust. Organizations operating e-commerce sites with Dokan Pro may face increased risk of account takeover attempts or fraud if attackers leverage harvested data. The ease of exploitation without authentication broadens the attack surface, making automated scanning and mass enumeration feasible. Although no known exploits are currently in the wild, the vulnerability’s presence in a widely used WordPress plugin suggests a potentially large affected population.

1. Immediately update Dokan Pro to a patched version once released by the vendor that includes proper authorization checks on the /dokan/v1/wholesale/register endpoint. 2. Until a patch is available, restrict access to the REST API endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to /dokan/v1/wholesale/register. 3. Employ IP whitelisting or authentication mechanisms to limit access to sensitive API endpoints. 4. Monitor web server and application logs for suspicious access patterns targeting the vulnerable endpoint to detect potential exploitation attempts. 5. Review user data exposure policies and minimize the amount of sensitive information returned by APIs. 6. Conduct regular security audits and penetration tests focusing on REST API authorization controls. 7. Educate users about phishing risks and encourage strong password practices to mitigate downstream attacks leveraging harvested data.