Privilege Escalation Vulnerability in Dokan Pro Plugin for WordPress
CVE-2026-12224
8.8HIGH
What is CVE-2026-12224?
The Dokan Pro plugin for WordPress contains a vulnerability that allows authenticated attackers to escalate their privileges. The issue arises from the update_capabilities() REST handler, which incorrectly accepts arbitrary capability strings without proper validation. This leads to authenticated users with Vendor-level access or higher being able to grant unauthorized capabilities, including administrative privileges, to any vendor_staff account, potentially resulting in complete control over the website for malicious actors on sites utilizing the Vendor Staff module.
Affected Version(s)
Dokan Pro 0 <= 5.0.4