The Dokan Pro multivendor plugin is affected by an unauthenticated privilege escalation flaw that could allow an attacker to seize administrative control of the platform.

The vulnerability originates from a failure to enforce proper capability checks, allowing an unauthenticated user to trigger functions that elevate their privileges to that of an administrator.

With a CVSS score of 9.8, this flaw poses a severe risk to the integrity of multivendor marketplace environments. An exploit could allow unauthorized parties to access sensitive vendor data, modify store configurations, or redirect financial transactions, leading to catastrophic business impact.

Immediate Action: Update the Dokan Pro plugin to the latest version released by the vendor to eliminate the vulnerability.

Proactive Monitoring: Audit site logs for anomalous activity, specifically focusing on user role modification requests and unauthorized administrative logins.

Compensating Controls: Utilize a WAF to inspect incoming traffic and block requests that attempt to invoke administrative functions without proper authorization headers.

Public Exploit Available: Unknown

The severity of this vulnerability necessitates immediate action to protect the marketplace and its associated user data. Security teams must verify that all Dokan Pro installations are updated to the latest patched version to prevent potential exploitation and maintain system integrity.