The vulnerability identified as CVE-2025-14977 affects the Dokan AI Powered WooCommerce Multivendor Marketplace plugin for WordPress, a popular solution enabling users to build marketplaces similar to Amazon or eBay. The flaw is an Insecure Direct Object Reference (IDOR) stemming from insufficient validation of a user-controlled key in the /wp-json/dokan/v1/settings REST API endpoint. This endpoint allows authenticated users with customer-level permissions or higher to read and modify the store settings of other vendors on the platform. The exposed data includes highly sensitive payment information such as PayPal email addresses, bank account details, routing numbers, IBANs, and SWIFT codes, as well as contact information like phone numbers and addresses. Exploitation enables an attacker to alter PayPal payout email addresses to their own, facilitating direct financial theft when the marketplace processes vendor payouts. The vulnerability does not require user interaction but does require authentication, which lowers the attack complexity but still restricts exploitation to users with some level of access. The CVSS score of 8.1 reflects the high impact on confidentiality and integrity, with no impact on availability. No patches are currently linked, and no known exploits have been reported in the wild, but the risk remains significant due to the sensitive nature of the data and potential financial losses. The vulnerability arises from improper access control (CWE-284), highlighting a failure to enforce proper authorization checks on REST API requests. Organizations using this plugin should prioritize remediation to prevent unauthorized data access and financial fraud.

For European organizations operating multivendor marketplaces using the Dokan plugin, this vulnerability poses a severe risk to both financial assets and customer trust. Exposure of sensitive payment information can lead to direct financial theft, fraud, and potential regulatory penalties under GDPR due to mishandling of personal and financial data. The ability to modify payout details allows attackers to redirect funds, causing direct monetary losses. Additionally, compromised vendor data can damage marketplace reputation, reduce vendor confidence, and lead to customer attrition. Given the widespread use of WooCommerce and Dokan in Europe, especially among SMEs and e-commerce platforms, the impact could be broad. Financial institutions and payment processors may also face increased fraud risk. The vulnerability does not affect system availability, so attacks may go unnoticed for extended periods, increasing potential damage. Compliance risks are heightened in Europe due to stringent data protection laws, potentially resulting in fines and legal consequences if breaches occur.

Organizations should immediately verify their Dokan plugin version and upgrade to a patched release once available. In the absence of an official patch, implement strict access controls on the /wp-json/dokan/v1/settings REST API endpoint by restricting access to trusted roles only, ideally administrators. Employ Web Application Firewalls (WAFs) to monitor and block suspicious API requests attempting to access or modify other vendors' settings. Conduct thorough audits of vendor payout configurations to detect unauthorized changes, especially PayPal email addresses. Enable multi-factor authentication (MFA) for all user accounts with access to vendor settings to reduce the risk of compromised credentials. Regularly review and limit user permissions to the minimum necessary, avoiding granting customer-level users unnecessary access. Monitor logs for unusual activity related to REST API calls and vendor data modifications. Educate marketplace vendors about potential phishing or social engineering attempts that could leverage this vulnerability. Finally, prepare incident response plans to quickly address any exploitation attempts or data breaches.