CVE-2026-24359
Received Received - Intake
Authentication Bypass in Dokan-Lite Leads to Privilege Escalation

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24359
EUVD
EUVD-2026-15555
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dokan_inc dokan_lite to 4.2.4 (inc)
dokan_inc dokan_plugin to 4.2.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-24359 vulnerability allows attackers to bypass authentication controls and gain unauthorized administrative access to affected websites. Such unauthorized access can lead to exposure or manipulation of sensitive data, which may result in non-compliance with common standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal or health information.

Because this vulnerability is categorized under OWASP Top 10 A7: Identification and Authentication Failures, it directly impacts the security controls necessary to meet regulatory requirements for authentication and data protection.

Mitigating this vulnerability by updating to the patched version (4.2.5) or applying protective measures is critical to maintaining compliance with these standards.

Executive Summary

CVE-2026-24359 is a critical authentication bypass vulnerability in the Dokan WordPress plugin versions up to and including 4.2.4. It is classified as a broken authentication issue that allows an attacker to bypass normal authentication controls.

This flaw enables a malicious actor to perform actions normally restricted to higher privileged users, potentially gaining unauthorized administrative access to the affected website.

The vulnerability can be exploited by users with subscriber or developer privileges, making it easier for attackers to abuse the system.

Impact Analysis

This vulnerability can have severe impacts including unauthorized administrative access to your website, allowing attackers to control or manipulate site content, settings, and user data.

Such unauthorized access can lead to data breaches, defacement, installation of malicious code, or complete takeover of the affected site.

Because the vulnerability is easy to exploit and has a high CVSS score of 8.8, it is highly prone to mass exploitation campaigns targeting many websites.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Dokan Plugin to version 4.2.5 or later, which contains the patch fixing this authentication bypass issue.

Additionally, users of Patchstack can enable an automatic mitigation rule that blocks attacks exploiting this vulnerability until the plugin is updated.

Enabling auto-updates specifically for vulnerable plugins is also recommended to ensure rapid protection against exploitation.

Detection Guidance

The provided resources do not include specific detection methods or commands to identify the CVE-2026-24359 vulnerability on your network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24359. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart