CVE-2026-3504
Deferred Deferred - Pending Action
Sensitive Information Exposure in Dokan WooCommerce Multivendor Plugin

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3504
EUVD
EUVD-2026-26790
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wedevs dokan to 4.3.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress has a vulnerability in all versions up to and including 4.3.1. This vulnerability exists in the '/dokan/v1/stores/{id}/reviews' REST API endpoint, where the method 'prepare_reviews_for_response' unintentionally includes sensitive information such as reviewer email addresses, usernames, and user IDs in the API response.

Because of this, unauthenticated attackers can access and extract the email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. Exploiting this vulnerability requires the Pro version of the plugin to be installed and activated, with store reviews enabled.

Impact Analysis

This vulnerability can lead to sensitive information exposure, allowing unauthenticated attackers to obtain personal data such as email addresses, usernames, and user IDs of customers who have left reviews.

Such exposure can result in privacy violations, targeted phishing attacks, spam, and potential identity theft for affected users.

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive personal information such as email addresses, usernames, and user IDs of customers who left reviews. Exposure of such personal data can lead to non-compliance with data protection regulations like GDPR, which require protection of personal data and notification of breaches.

Since the vulnerability involves sensitive information exposure without authentication, it may violate principles of data minimization and confidentiality mandated by standards such as GDPR and HIPAA, potentially resulting in legal and regulatory consequences for affected organizations.

Detection Guidance

This vulnerability can be detected by checking if the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin is installed and activated in its Pro version with store reviews enabled.

Specifically, you can attempt to access the REST API endpoint '/dokan/v1/stores/{id}/reviews' without authentication and observe if the response includes reviewer email addresses, usernames, and user IDs.

A sample command using curl to test this would be:

  • curl -X GET https://your-wordpress-site.com/wp-json/dokan/v1/stores/{id}/reviews

If the response contains sensitive information such as email addresses and usernames of reviewers, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include updating the Dokan plugin to a version later than 4.3.1 where this vulnerability is fixed.

If an update is not immediately available, consider disabling the Pro version of the plugin or disabling store reviews to prevent exposure of sensitive information.

Additionally, restrict access to the REST API endpoint '/dokan/v1/stores/{id}/reviews' by implementing authentication or access controls to prevent unauthenticated access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3504. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart