CVE-2026-12224
Received Received - Intake

Privilege Escalation in Dokan Pro WordPress Plugin

Vulnerability report for CVE-2026-12224, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Wordfence

Description

The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the `update_capabilities()` REST handler accepting arbitrary capability strings from the request body and passing them directly to WP_User::add_cap() with no allowlist validation, only verifying that the caller holds the dokandar capability. This makes it possible for authenticated attackers with a self-provisioned Vendor-level access and above, on sites with the Vendor Staff module enabled, to grant arbitrary WordPress capabilities, including administrator, to any vendor_staff account, leading to a full site takeover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wedevs dokan_pro to 5.0.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Dokan Pro plugin for WordPress has a vulnerability that allows privilege escalation through the update_capabilities REST Endpoint in all versions up to and including 5.0.4.

This happens because the update_capabilities() REST handler accepts arbitrary capability strings from the request body and passes them directly to WP_User::add_cap() without validating them against an allowlist.

The only check performed is that the caller has the dokandar capability.

As a result, authenticated attackers with Vendor-level access or higher on sites with the Vendor Staff module enabled can grant any WordPress capabilities, including administrator rights, to any vendor_staff account.

This can lead to a full site takeover.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers with limited access (Vendor-level or above) to escalate their privileges arbitrarily.

Attackers can grant themselves or others administrator capabilities, effectively gaining full control over the WordPress site.

A full site takeover can lead to unauthorized data access, modification, deletion, or disruption of services.

It can also compromise the integrity and availability of the website and its data.

Mitigation Strategies

The vulnerability affects all versions of the Dokan Pro plugin up to and including 5.0.4. Immediate mitigation steps include updating the Dokan Pro plugin to a version later than 5.0.4 where this issue is fixed.

Additionally, restrict access to the update_capabilities REST endpoint by limiting permissions or disabling the Vendor Staff module if it is not required, as the vulnerability requires this module to be enabled.

Monitor user roles and capabilities for unauthorized changes, especially for vendor_staff accounts, to detect any privilege escalation attempts.

Compliance Impact

The vulnerability allows authenticated attackers with certain access to escalate privileges and potentially take over the entire WordPress site by granting arbitrary capabilities, including administrator rights.

Such a full site takeover could lead to unauthorized access to sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA by compromising confidentiality, integrity, and availability of personal or protected health information.

However, the provided information does not explicitly describe the direct effects on compliance with these standards or any mitigation steps related to regulatory requirements.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12224. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart