CVE-2026-12224
WordPress · Dokan Pro
The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via the update_capabilities REST endpoint, allowing unauthorized users to elevate their access levels.
Executive summary
The Dokan Pro plugin for WordPress contains a critical privilege escalation flaw that could allow an attacker to gain unauthorized administrative control over the site.
Vulnerability
This vulnerability involves an insecure REST API endpoint, update_capabilities, which fails to properly validate user permissions. An attacker can exploit this to escalate their current user privileges, potentially gaining full administrative access to the WordPress installation.
Business impact
With a CVSS score of 8.8, this vulnerability poses a severe risk to the entire web application. Privilege escalation allows an attacker to bypass standard security controls, leading to total site compromise, data exfiltration, or the injection of malicious code, which could result in significant reputational damage and loss of customer trust.
Remediation
Immediate Action: Update the Dokan Pro plugin to the latest version immediately to patch the vulnerable REST endpoint.
Proactive Monitoring: Monitor WordPress user role changes and administrative login activity for any unexpected modifications to user capabilities.
Compensating Controls: Utilize a Web Application Firewall (WAF) to block requests targeting the update_capabilities REST endpoint until the plugin can be updated.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Privilege escalation vulnerabilities in plugins are frequently targeted by automated botnets. It is critical to patch the Dokan Pro plugin immediately. Organizations should also perform a security audit of current administrative users to ensure no unauthorized accounts were created during the period the site remained vulnerable.