The Dokan AI Powered WooCommerce Multivendor Marketplace plugin for WordPress, widely used to create multivendor e-commerce platforms similar to Amazon or eBay, suffers from an Insecure Direct Object Reference vulnerability (CWE-284) identified as CVE-2025-14977. This vulnerability exists in the REST API endpoint /wp-json/dokan/v1/settings, where the plugin fails to properly validate a user-controlled key parameter. As a result, authenticated users with minimal permissions (customer-level or above) can access or modify the store settings of other vendors. These settings include highly sensitive payment information such as PayPal email addresses, bank account numbers, routing numbers, IBANs, and SWIFT codes, as well as contact details like phone numbers and addresses. Exploiting this flaw, an attacker can alter the PayPal email address linked to a vendor’s account to an attacker-controlled address, enabling direct theft of marketplace payouts. The vulnerability is remotely exploitable without user interaction, requiring only authentication. The CVSS v3.1 score of 8.1 reflects the high impact on confidentiality and integrity, though availability is unaffected. No patches are currently linked, and no known exploits have been reported in the wild, but the risk of financial fraud and data leakage is significant. This vulnerability highlights the importance of strict access control and input validation in multitenant e-commerce platforms.

The impact of CVE-2025-14977 is substantial for organizations operating multivendor marketplaces using the Dokan plugin. Unauthorized access to other vendors’ sensitive payment and contact information can lead to severe confidentiality breaches and financial theft. Attackers can redirect payouts by changing PayPal email addresses, resulting in direct monetary losses for vendors and reputational damage for marketplace operators. The integrity of vendor data is compromised, undermining trust in the platform. Since the vulnerability requires only authenticated access at a low permission level, insider threats or compromised customer accounts can be leveraged to exploit this flaw. The widespread use of WooCommerce and Dokan in e-commerce means many small to medium-sized businesses could be affected, potentially disrupting their operations and causing legal and compliance issues related to data protection. The absence of known exploits currently offers a window for mitigation, but the vulnerability’s ease of exploitation and high impact make it a critical risk.

To mitigate CVE-2025-14977, organizations should immediately upgrade to a patched version of the Dokan plugin once available. In the absence of an official patch, administrators should restrict access to the /wp-json/dokan/v1/settings REST API endpoint by implementing strict role-based access controls, ensuring only trusted vendor administrators can access or modify store settings. Employing Web Application Firewalls (WAFs) to monitor and block suspicious API requests targeting this endpoint can reduce risk. Conduct thorough audits of vendor account permissions to minimize the number of users with elevated privileges. Additionally, monitor payout account changes closely and implement multi-factor authentication (MFA) for vendor accounts to prevent unauthorized access. Vendors should be educated to verify payout information regularly. Finally, consider isolating sensitive payment data from user-modifiable settings or employing additional validation and logging mechanisms to detect unauthorized changes promptly.