Name of the Vulnerable Software and Affected Versions:

Dokan Pro versions prior to 4.0.6

Description:

The Dokan Pro plugin for WordPress is susceptible to privilege escalation via account takeover. The issue stems from insufficient user identity validation during staff password resets, allowing authenticated attackers with vendor-level access or higher to elevate their privileges. Attackers can then modify arbitrary user passwords, including those of administrators, to gain unauthorized access to accounts. By default, the plugin allows customers to become vendors.

Recommendations:

Update Dokan Pro to version 4.0.6 or later.