CVE-2024-3922 CRITICAL

CVE-2024-3922: Dokan Pro <= 3.10.3 - Unauthenticated SQL Injection

Vendor Wedevs

Product Dokan Pro

Weakness CWE-89 · SQLi

Published June 13, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Key dates

02Disclosure timeline

June 13, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-3922

Related vulnerabilities

04Related CVE

CVE-2023-1039 SourceCodester Class and Exam Timetabling System POST Parameter index3.php sql injection CVE-2016-20068 WordPress Booking Calendar Contact Form 1.0.23 SQL Injection CVE-2025-60107 WordPress LambertGroup - AllInOne - Banner with Playlist Plugin <= 3.8 - SQL Injection Vulnerability CVE-2026-3346 Stored Cross-Site Scripting (XSS) in Langflow Markdown Rendering via rehypeRaw CVE-2025-13279 code-projects Nero Social Networking Site profilefriends.php sql injection