Insecure Direct Object Reference in Dokan WooCommerce Plugin for WordPress
CVE-2026-11987

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Dokan: Ai Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy
Vendor: CVE Published:; 27 June 2026

What is CVE-2026-11987?

The Dokan plugin for WordPress suffers from an Insecure Direct Object Reference (IDOR) in the 'id' parameter, which affects all versions up to and including 5.0.4. This vulnerability allows authenticated users with subscriber-level access and above to view other vendors' product listings, including unpublished drafts and pending items. The inadequate validation of user-controlled keys in permission callbacks only checks for generic vendor capabilities (e.g., 'dokan_view_product_menu') without verifying the ownership of the requested author ID or product. As a result, sensitive product information such as names, prices, SKUs, and descriptions may be exposed, posing a significant risk to vendors' privacy and data integrity.

Affected Version(s)

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy 0 <= 5.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/dokan-lite/tag...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2026
Vulnerability Reserved
Jun 11, 2026

Credit

0xHerc

CVE-2026-11987 Data

JSON