Kirasec

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change order status, add order note, delete order note, add shipping tracking info, grant access to download, and revoke access to download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor's own dashboard order pages (e.g., /dashboard/orders/?order id=OWN ORDER ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID — the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that 'users cannot generate valid nonces on command': vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1.

**Name of the Vulnerable Software and Affected Versions** LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.6.1 **Description** The plugin is affected by Cross-Site Request Forgery, a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs due to missing or incorrect nonce validation in the `change status()` function. Unauthenticated attackers can exploit this to change the status of arbitrary invoices, such as marking unpaid invoices as paid, by inducing a site administrator to click a malicious link. **Recommendations** Update the plugin to a version later than 5.6.0. As a temporary workaround, restrict administrator access to the `change status()` function until the update is applied.

The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection mechanisms (no localhost blocking, no private network filtering, and does not use WordPress's wp safe remote * functions). This makes it possible for unauthenticated attackers to inject malicious referrer domains into the database and trigger server-side requests to arbitrary hosts including internal services.

**Name of the Vulnerable Software and Affected Versions** MW WP Form versions prior to 5.1.3 **Description** Insufficient restrictions in the ` get post property from querystring()` function allow unauthenticated attackers to extract data from private, draft, or password-protected posts. **Recommendations** Update to a version later than 5.1.2. As a temporary workaround, consider restricting access to the ` get post property from querystring()` function until the update is applied.

Name of the Vulnerable Software and Affected Versions The Download Monitor plugin for WordPress versions up to and including 5.1.10 Description The Download Monitor plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to missing nonce verification in the `actions handler()` and `bulk actions handler()` methods within the `class-dlm-downloads-path.php` file. This allows unauthenticated attackers to potentially delete, disable, or enable approved download paths by tricking a site administrator into performing an action, such as clicking a malicious link. Recommendations Update to a version of The Download Monitor plugin for WordPress greater than 5.1.10.