CVE-2026-10023
Received Received - Intake
Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Wordfence

Description
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor's own dashboard order pages (e.g., /dashboard/orders/?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID β€” the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that 'users cannot generate valid nonces on command': vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-10023
EUVD
EUVD-2026-37835
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getdokan dokan to 5.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10023 is an Insecure Direct Object Reference (IDOR) vulnerability in the Dokan WordPress plugin used for WooCommerce multivendor marketplaces. It affects multiple AJAX handlers related to order management, such as changing order status, adding or deleting order notes, updating shipping tracking info, and managing download permissions.

The vulnerability arises because these handlers validate vendor capabilities but do not verify whether the order being manipulated actually belongs to the requesting vendor. This missing ownership check allows authenticated vendors to manipulate orders that are not theirs.

Attackers can exploit this by harvesting a valid nonce from their own order pages and replaying it against victim order IDs, bypassing nonce protections since the nonce only proves the user is logged in, not that they own the order.

Impact Analysis

This vulnerability allows authenticated vendors with custom vendor-level access or higher to perform unauthorized actions on any order in the marketplace.

  • Modify the status of arbitrary orders.
  • Add attacker-controlled notes to any order, including customer-facing notes that trigger notification emails to buyers.
  • Delete any order note or WordPress comment by ID regardless of ownership.
  • Inject fake shipping tracking information on any order.
  • Grant or revoke downloadable-product permissions on any order.

These impacts can lead to unauthorized order manipulation, misinformation to customers, and improper access to downloadable products, potentially damaging business operations and customer trust.

Detection Guidance

Detection of this vulnerability involves identifying unauthorized attempts by authenticated vendor users to manipulate orders that do not belong to them via the affected AJAX handlers.

Since the exploit uses valid nonces harvested from the attacker's own order pages and targets specific AJAX endpoints, monitoring HTTP requests to these endpoints for unusual order IDs or vendor activity is key.

  • Monitor HTTP POST requests to AJAX handlers such as change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download.
  • Look for requests where the order_id parameter does not belong to the authenticated vendor making the request.
  • Use web server logs or a web application firewall (WAF) to filter and analyze these requests.

Specific commands depend on your environment, but example commands for Linux systems with access to web server logs might include:

  • grep -E 'change_order_status|add_order_note|delete_order_note|add_shipping_tracking_info|grant_access_to_download|revoke_access_to_download' /var/log/apache2/access.log
  • grep 'order_id=' /var/log/apache2/access.log | awk '{print $0}' | less

Further analysis would require correlating the order_id values with vendor ownership data from the application database to detect unauthorized access attempts.

Mitigation Strategies

Immediate mitigation involves updating the Dokan plugin to a version that includes the fix for this vulnerability.

The fix adds ownership verification checks (using dokan_is_seller_has_order()) to ensure vendors can only modify orders they own.

If an update is not immediately possible, consider restricting vendor-level access temporarily or disabling the affected AJAX handlers to prevent exploitation.

Additionally, monitor logs for suspicious activity targeting the affected endpoints and review vendor permissions to minimize risk.

Compliance Impact

The vulnerability allows authenticated vendors to manipulate arbitrary orders across the marketplace by exploiting missing ownership validation. This can lead to unauthorized modification of order statuses, notes, shipping information, and download permissions.

Such unauthorized access and modification of order data could potentially lead to violations of data protection regulations like GDPR or HIPAA, as it undermines the integrity and confidentiality of customer and order information.

However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with specific standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10023. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart