CVE-2025-14977

Name of the Vulnerable Software and Affected Versions Dokan versions up to and including 4.2.4

Description The Dokan plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This flaw stems from a lack of validation on a user-controlled key within the /wp-json/dokan/v1/settings API endpoint. Authenticated attackers possessing customer-level permissions or higher can potentially read or modify store settings belonging to other vendors. This includes sensitive data such as PayPal email addresses, bank account details, routing numbers, IBANs, SWIFT codes, phone numbers, and addresses. Exploitation could allow attackers to redirect marketplace payouts to accounts they control, resulting in financial theft. The vulnerable parameter is a user-controlled key.

Recommendations Update Dokan to a version beyond 4.2.4.