Unauthenticated Privilege Escalation in Dokan Pro <= 5.0.4 versions.
The vulnerability classified as CWE-266 (Incorrect Privilege Assignment) involves incorrect privilege assignment in the Dokan Pro plugin. An attacker without any account or session can exploit this flaw to gain higher privileges than those to which they should be entitled. The lack of authentication requirement (PR:N, UI:N) means that the exploit can be carried out remotely over the network without any user interaction.
An attacker can gain elevated privileges within the WordPress application, which may lead to complete takeover of the website, including data reading, modification, and deletion (C:H, I:H, A:H).
The Dokan Pro plugin should be immediately updated to a version higher than 5.0.4. Detailed information about available patches can be found in the manufacturer's references and in the Patchstack database.
Dokan Pro plugin for WordPress in versions 5.0.4 and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H