CVE-2025-14977: CWE-284 Improper Access Control in dokaninc Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts.
AI Analysis
Technical Summary
The Dokan WooCommerce Multivendor Marketplace plugin suffers from an improper access control vulnerability (CWE-284) due to missing validation on a user-controlled key in the /wp-json/dokan/v1/settings REST API endpoint. This insecure direct object reference allows authenticated users with at least customer-level permissions to read or modify other vendors' sensitive store settings, including payment information and contact details. The vulnerability can be exploited to redirect payouts to attacker-controlled PayPal accounts, posing a significant financial risk. The CVSS 3.1 base score is 8.1, reflecting high confidentiality and integrity impacts with network attack vector and low attack complexity.
Potential Impact
An attacker with authenticated access at the customer level or above can access and alter other vendors' sensitive store settings, including payment credentials such as PayPal emails and bank account details. This can lead to unauthorized financial theft by redirecting marketplace payouts to attacker-controlled accounts. The vulnerability compromises confidentiality and integrity of vendor data but does not affect availability. No known exploits are currently reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user permissions to trusted vendors only and monitor for suspicious changes in vendor payment settings. Avoid granting unnecessary elevated permissions to users. Follow vendor updates closely for an official patch or temporary mitigation.
CVE-2025-14977: CWE-284 Improper Access Control in dokaninc Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Description
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Dokan WooCommerce Multivendor Marketplace plugin suffers from an improper access control vulnerability (CWE-284) due to missing validation on a user-controlled key in the /wp-json/dokan/v1/settings REST API endpoint. This insecure direct object reference allows authenticated users with at least customer-level permissions to read or modify other vendors' sensitive store settings, including payment information and contact details. The vulnerability can be exploited to redirect payouts to attacker-controlled PayPal accounts, posing a significant financial risk. The CVSS 3.1 base score is 8.1, reflecting high confidentiality and integrity impacts with network attack vector and low attack complexity.
Potential Impact
An attacker with authenticated access at the customer level or above can access and alter other vendors' sensitive store settings, including payment credentials such as PayPal emails and bank account details. This can lead to unauthorized financial theft by redirecting marketplace payouts to attacker-controlled accounts. The vulnerability compromises confidentiality and integrity of vendor data but does not affect availability. No known exploits are currently reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user permissions to trusted vendors only and monitor for suspicious changes in vendor payment settings. Avoid granting unnecessary elevated permissions to users. Follow vendor updates closely for an official patch or temporary mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-19T15:58:09.269Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696f09b14623b1157c16d2df
Added to database: 1/20/2026, 4:50:57 AM
Last enriched: 4/9/2026, 4:54:52 PM
Last updated: 5/10/2026, 9:26:33 AM
Views: 127
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.