CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34382 – WordPress Dokan Plugin <= 3.7.19 is vulnerable to PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-34382
Deserialization of Untrusted Data vulnerability in weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy.This issue affects Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: from n/a through 3.7.19. Vulnerabilidad de deserialización de datos no confiables en weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy. Este problema afecta a Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: desde n/a hasta 3.7 .19. The Dokan plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.7.19 via deserialization of untrusted input via the 'create_dummy_vendor' function called by the 'import' REST API endpoint. This allows authenticated attackers with Shop Manager privileges or above to inject a PHP Object. • https://patchstack.com/database/vulnerability/dokan-lite/wordpress-dokan-plugin-3-7-19-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26525 – WordPress Dokan Plugin <= 3.7.12 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-26525
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy.This issue affects Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: from n/a through 3.7.12. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy. Este problema afecta a Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: desde n/a hasta el 3.7.12. The Dokan plugin for WordPress is vulnerable to SQL Injection via multiple parameters in versions up to, and including, 3.7.12 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with vendor-level access, and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/dokan-lite/wordpress-dokan-plugin-3-7-12-authenticated-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3915 – Dokan < 3.7.6 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-3915
The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users El complemento Dokan WordPress anterior a 3.7.6 no sanitiza ni escapa adecuadamente un parámetro antes de usarlo en una declaración SQL, lo que genera una inyección de SQL explotable por usuarios no autenticados. The Dokan plugin for WordPress is vulnerable to SQL Injection via the ‘user_ids’ parameter in versions up to, and including, 3.7.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query on an AJAX action that is available to unprivileged users. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://wpscan.com/vulnerability/fd416d99-1970-418f-81f5-8438490d4479 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3194 – Dokan < 3.6.4 - Vendor Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-3194
The Dokan WordPress plugin before 3.6.4 allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators. El complemento Dokan WordPress anterior a 3.6.4 permite a los proveedores inyectar javascript arbitrario en reseñas de productos, lo que puede permitirles ejecutar ataques de XSS almacenado contra otros usuarios, como administradores de sitios. The Dokan plugin for WordPress is vulnerable to Stored Cross-Site Scripting via product reviews in versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with vendor permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was the result of the plugin enabling unfiltered_html capabilities for this user role. • https://wpscan.com/vulnerability/85e32913-dc2a-44c9-addd-7abde618e995 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36748 – Dokan <= 3.0.8 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36748
The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. This is due to missing or incorrect nonce validation on the handle_order_export() function. This makes it possible for unauthenticated attackers to trigger an order export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •