CVE-2026-3504
Sensitive Information Exposure in Dokan WooCommerce Multivendor Plugin
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wedevs | dokan | to 4.3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress has a vulnerability in all versions up to and including 4.3.1. This vulnerability exists in the '/dokan/v1/stores/{id}/reviews' REST API endpoint, where the method 'prepare_reviews_for_response' unintentionally includes sensitive information such as reviewer email addresses, usernames, and user IDs in the API response.
Because of this, unauthenticated attackers can access and extract the email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. Exploiting this vulnerability requires the Pro version of the plugin to be installed and activated, with store reviews enabled.
How can this vulnerability impact me? :
This vulnerability can lead to sensitive information exposure, allowing unauthenticated attackers to obtain personal data such as email addresses, usernames, and user IDs of customers who have left reviews.
Such exposure can result in privacy violations, targeted phishing attacks, spam, and potential identity theft for affected users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to access sensitive personal information such as email addresses, usernames, and user IDs of customers who left reviews. Exposure of such personal data can lead to non-compliance with data protection regulations like GDPR, which require protection of personal data and notification of breaches.
Since the vulnerability involves sensitive information exposure without authentication, it may violate principles of data minimization and confidentiality mandated by standards such as GDPR and HIPAA, potentially resulting in legal and regulatory consequences for affected organizations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin is installed and activated in its Pro version with store reviews enabled.
Specifically, you can attempt to access the REST API endpoint '/dokan/v1/stores/{id}/reviews' without authentication and observe if the response includes reviewer email addresses, usernames, and user IDs.
A sample command using curl to test this would be:
- curl -X GET https://your-wordpress-site.com/wp-json/dokan/v1/stores/{id}/reviews
If the response contains sensitive information such as email addresses and usernames of reviewers, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Dokan plugin to a version later than 4.3.1 where this vulnerability is fixed.
If an update is not immediately available, consider disabling the Pro version of the plugin or disabling store reviews to prevent exposure of sensitive information.
Additionally, restrict access to the REST API endpoint '/dokan/v1/stores/{id}/reviews' by implementing authentication or access controls to prevent unauthenticated access.