CVE-2025-12809 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Dokan Pro plugin for WordPress, a popular multi-vendor marketplace solution. The issue arises from the absence of a capability check on the REST API endpoint /dokan/v1/wholesale/register, which is intended for wholesale registration processes. Due to this missing authorization, unauthenticated attackers can query this endpoint with a user ID parameter to retrieve sensitive user information such as email addresses, usernames, display names, user roles, and registration dates. This exposure violates the principle of least privilege and allows data enumeration without any authentication or user interaction. The vulnerability affects all versions of Dokan Pro up to 4.1.3. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to confidentiality. Although no integrity or availability impacts exist, the leakage of personally identifiable information (PII) can facilitate targeted phishing campaigns, identity theft, or further exploitation. No patches or official fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. The vulnerability was publicly disclosed on December 16, 2025, with the initial reservation on November 6, 2025.

For European organizations, this vulnerability poses a significant privacy risk by exposing user PII such as email addresses and user roles without authorization. This can lead to increased phishing attacks, social engineering, and potential identity theft targeting employees, customers, or partners. Organizations subject to GDPR and other stringent data protection laws face compliance risks due to unauthorized data exposure, potentially resulting in regulatory fines and reputational damage. Since Dokan Pro is widely used in e-commerce platforms, especially those operating multi-vendor marketplaces, the impact extends to business continuity and customer trust. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can have cascading effects on organizational security posture and customer relationships. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and data harvesting by malicious actors.

European organizations should immediately audit their WordPress environments to identify installations of Dokan Pro plugin versions up to 4.1.3. Until an official patch is released, practical mitigations include restricting access to the vulnerable REST API endpoint via web application firewalls (WAFs) or custom rules that block unauthenticated requests to /dokan/v1/wholesale/register. Implementing IP whitelisting or authentication requirements for API access can reduce exposure. Monitoring web server logs for unusual or repeated access attempts to this endpoint can help detect exploitation attempts. Organizations should also review user data access policies and limit the amount of sensitive information exposed via APIs. Once a patch becomes available, prompt application of updates is critical. Additionally, organizations should educate users and administrators about phishing risks stemming from leaked email addresses and enforce multi-factor authentication (MFA) to mitigate downstream attacks.