Sensitive Information Exposure in Dokan Plugin for WordPress Multivendor Marketplace
CVE-2026-3504

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Dokan: Ai Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-3504?

The Dokan plugin for WordPress enables potential unauthorized access to sensitive information. In versions up to 4.3.1, the '/dokan/v1/stores/{id}/reviews' REST API endpoint leaks email addresses, usernames, and user IDs of customers who have left reviews. This vulnerability arises from the improper inclusion of reviewer information in API responses. Attackers, even without authentication, can capitalize on this flaw, potentially compromising the personal data of all customers engaged with vendor stores. To be vulnerable, the Pro version of the plugin needs to be activated with store reviews enabled.

Affected Version(s)

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy 0 <= 4.3.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/dokan-lite/tru...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Rafshanzani Suhada

CVE-2026-3504 Data

JSON