CVE-2025-5931
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-08-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dokan | dokan_pro | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Dokan Pro plugin for WordPress allows an authenticated attacker with vendor-level access or higher to escalate their privileges by taking over accounts. This happens because the plugin does not properly verify a user's identity before allowing a password reset for staff members. As a result, the attacker can change passwords of arbitrary users, including administrators, thereby gaining unauthorized access to their accounts.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized privilege escalation, allowing attackers to gain access to staff or administrator accounts. This can result in loss of control over the WordPress site, unauthorized changes, data breaches, and potential further exploitation of the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Dokan Pro plugin to a version later than 4.0.5 where the issue is fixed. Additionally, review and restrict vendor-level access permissions to trusted users only, and monitor for any unauthorized password changes, especially for staff and administrator accounts.