Insecure Direct Object Reference Vulnerability in Dokan Plugin for WordPress
CVE-2026-10023

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Dokan: Ai Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-10023?

The Dokan plugin for WordPress contains a vulnerability allowing authenticated attackers with vendor-level access to manipulate order statuses, inject malicious notes, and alter order-related permissions. This exploitation stems from insufficient ownership validation on user-controlled order IDs in various AJAX handlers. Attackers can leverage valid nonces from their own dashboard to target arbitrary orders, raising critical security concerns for marketplace integrity and user trust.

Affected Version(s)

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy 0 <= 5.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/dokan-lite/tag...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 28, 2026

Credit

Kirasec

CVE-2026-10023 Data

JSON