CVE-2025-12809 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Dokan Pro plugin for WordPress, specifically affecting all versions up to 4.1.3. The issue arises due to the absence of a capability check on the REST API endpoint /dokan/v1/wholesale/register, which is intended for wholesale registration processes. This missing authorization allows unauthenticated attackers to query the API with a user ID and retrieve sensitive user information including email addresses, usernames, display names, user roles, and registration dates. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low complexity. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the limited impact on confidentiality (partial disclosure of user data) and no impact on integrity or availability. Although no public exploits have been reported, the exposure of personally identifiable information (PII) can facilitate further attacks such as phishing or social engineering. The vulnerability affects organizations using Dokan Pro for multi-vendor marketplaces or e-commerce platforms, which are common in WordPress environments. The lack of a patch at the time of reporting necessitates immediate mitigation efforts to prevent unauthorized data disclosure. The vulnerability was publicly disclosed on December 16, 2025, with Wordfence as the assigner. Given the widespread use of WordPress and Dokan Pro in Europe, this vulnerability poses a tangible risk to user privacy and regulatory compliance.

For European organizations, the primary impact of CVE-2025-12809 is the unauthorized disclosure of user data, including email addresses and other personal identifiers, which can lead to privacy violations and undermine customer trust. This exposure can facilitate targeted phishing campaigns, identity theft, and social engineering attacks. Organizations subject to the EU General Data Protection Regulation (GDPR) may face legal and financial repercussions due to inadequate protection of personal data. The vulnerability does not affect system integrity or availability directly but compromises confidentiality, which is critical for maintaining compliance and reputation. E-commerce platforms and marketplaces relying on Dokan Pro are particularly vulnerable, as they manage large volumes of user data. The ease of exploitation without authentication increases the risk of mass data harvesting by attackers. Additionally, the exposure of user roles and registration dates can aid attackers in crafting more convincing attacks or privilege escalation attempts. Overall, the vulnerability threatens data privacy and regulatory compliance for European entities using the affected plugin.

1. Immediately restrict access to the /dokan/v1/wholesale/register REST API endpoint by implementing web application firewall (WAF) rules or server-level access controls to block unauthenticated requests. 2. Apply custom authorization checks within the WordPress environment to ensure that only authenticated and authorized users can access the vulnerable endpoint. 3. Monitor API logs for unusual or repeated access patterns targeting the wholesale registration endpoint to detect potential exploitation attempts. 4. Disable or limit the use of the Dokan Pro wholesale registration feature if it is not essential to business operations. 5. Regularly update the Dokan Pro plugin as soon as the vendor releases a security patch addressing this vulnerability. 6. Conduct a thorough audit of user data exposure and notify affected users if a data breach is suspected, in compliance with GDPR requirements. 7. Educate administrators and developers about secure API design and the importance of capability checks on REST endpoints. 8. Employ network segmentation and least privilege principles to minimize the exposure of critical systems and data.