CVE-2025-5931 HIGH

CVE-2025-5931: Dokan Pro <= 4.0.5 - Authenticated (Vendor+) Privilege Escalation

Vendor Wedevs
Product Dokan Pro
Weakness CWE-269
Published August 26, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.5. This is due to the plugin not properly validating a user's identity prior to updating their password during a staff password reset. This makes it possible for authenticated attackers, with vendor-level access and above, to elevate their privilege to the level of a staff member and then change arbitrary user passwords, including those of administrators in order to gain access to their accounts. By default, the plugin allows customers to become vendors.

Explanation of Vulnerability in Simple Terms

02Summary

Dokan Pro versions up to 4.0.5 contain a privilege management flaw that allows authenticated users with low-level permissions to gain unauthorized access to sensitive functionality. An attacker with a basic user account can read, modify, or delete data without proper authorization checks. This affects confidentiality, integrity, and availability of the site.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive data and functionality without proper authorization.

Potential impact on your site

04Site Impact

Authenticated users can escalate privileges and access admin-level features, compromising data security and site integrity.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

August 26, 2025 CVE published
April 8, 2026 Record updated