CVE-2026-11783 is a stored cross-site scripting vulnerability in the Dokan AI Powered WooCommerce Multivendor Marketplace Solution WordPress plugin. It affects all versions up to and including 5.0.4. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the Product SKU field. Authenticated attackers with custom-level access or higher can inject arbitrary JavaScript payloads that are stored and later executed in the context of any user visiting the injected page. The attack vector involves the store search widget which dynamically inserts unescaped AJAX response HTML into the DOM via jQuery's .html() method, exposing site visitors to the malicious script. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity.

Successful exploitation allows authenticated users with custom-level access or above to inject persistent malicious scripts into the Product SKU field. These scripts execute in the browsers of any users who view the affected pages, including unauthenticated visitors. This can lead to theft of sensitive information, session hijacking, or other client-side attacks. The vulnerability impacts confidentiality and integrity but does not affect availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict custom-level user access to trusted individuals only. Avoid using the store search widget or disable it if possible to reduce exposure. Monitor vendor channels for updates and apply patches promptly once released.