CVE-2026-10023

🗓️ 18 Jun 2026 04:16:33Reported by [email protected]Type

nvd

nvd🔗 web.nvd.nist.gov👁 6 Views

Vendor attackers can modify any order and notes via insecure direct object reference in Dokan 5.0.3.

Reporter	Title	Published	Views	Family All 5
CVE	CVE-2026-10023	18 Jun 202603:41	–	cve
Cvelist	CVE-2026-10023 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification via Multiple AJAX Handlers	18 Jun 202603:41	–	cvelist
EUVD	EUVD-2026-37835	18 Jun 202606:32	–	euvd
Patchstack	WordPress Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification vulnerability	17 Jun 202614:54	–	patchstack
Positive Technologies	PT-2026-50617	18 Jun 202600:00	–	ptsecurity

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php
plugins	www.plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php
plugins	www.plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php
github	www.github.com/getdokan/dokan/pull/3246
plugins	www.plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/998e545c-2ad5-48ec-bad1-d346170af408
plugins	www.plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Install/Installer.php
plugins	www.plugins.trac.wordpress.org/changeset
plugins	www.plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php
plugins	www.plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.1/includes/Ajax.php

18 Jun 2026 04:16Current

CVSS 3.14.3

direct object reference order modification vendor access notes injection shipping tracking nonce bypass dokan plugin vulnerable versions download permissions