CVE-2025-12809

The Dokan Pro plugin for WordPress contains a missing capability check vulnerability in the /dokan/v1/wholesale/register REST API endpoint [1]. This affects all versions up to and including 4.1.3. The endpoint fails to properly verify whether a user has the required authorization before processing requests, which allows unauthenticated attackers to access sensitive user data.

An attacker can exploit this vulnerability by sending a crafted request to the REST API endpoint, providing a user ID to retrieve detailed information about that user. No authentication is required, and the attacker can enumerate users and collect data including email addresses, usernames, display names, user roles, and registration dates [1].

The impact of this vulnerability is the unauthorized disclosure of user information, particularly email addresses, which could be used for targeted phishing campaigns or other social engineering attacks. User enumeration also provides attackers with system reconnaissance about the WordPress installation, such as admin accounts and user roles.

As of the last affected version 4.1.3, no patch has been released for this specific vulnerability. Users are advised to update to the latest version of Dokan Pro once available, or to implement additional security measures such as web application firewall rules to block unauthenticated access to the vulnerable endpoint [1].