CVE-2026-11987
Received Received - Intake

Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace

Publication date: 2026-06-27

Last updated on: 2026-06-27

Assigner: Wordfence

Description
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor's products β€” including unpublished draft and pending listings β€” exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability ('dokan_view_product_menu' / 'dokandar'), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-27
Last Modified
2026-06-27
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-11987
EUVD
EUVD-2026-39948

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wedevs dokan to 5.0.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in the Dokan AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is an Insecure Direct Object Reference (IDOR) issue affecting all versions up to and including 5.0.4. It occurs because the 'id' parameter, which is user-controlled, lacks proper validation. This allows authenticated users with subscriber-level access or higher to access and read other vendors' products, including unpublished drafts and pending listings.

The problem arises because the permission checks only verify generic vendor capabilities that all vendors have, rather than confirming that the requested product or author ID actually belongs to the authenticated user.

Impact Analysis

This vulnerability can impact you by exposing sensitive product information from other vendors on the marketplace. An attacker with subscriber-level access can view product names, prices, SKUs, and descriptions that they should not have access to, including unpublished draft and pending product listings.

Such unauthorized access could lead to competitive disadvantages, leakage of confidential business information, and potential loss of trust among vendors using the platform.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11987. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart