CVE-2026-3504

Name of the Vulnerable Software and Affected Versions Dokan: AI Powered WooCommerce Multivendor Marketplace Solution versions prior to 4.3.2

Description Sensitive information exposure occurs via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. The prepare reviews for response() method includes reviewer email addresses, usernames, and user IDs in the API response. This allows unauthenticated attackers to extract the email addresses, usernames, and user IDs of all customers who have left reviews on any vendor's store. This issue requires the Pro version of the plugin to be installed and activated, with store reviews enabled.

Recommendations Update to a version later than 4.3.1. As a temporary workaround, disable store reviews or restrict access to the '/dokan/v1/stores/{id}/reviews' endpoint to minimize the risk of exploitation.