CVE-2024-3922 – The Dokan Pro WordPress plugin contains an unau... (How to Fix)

Q: What is the severity of CVE-2024-3922?

CVE-2024-3922 has a CVSS score of 10.0 (CRITICAL). The Dokan Pro WordPress plugin contains an unauthenticated SQL injection vulnerability in the 'code' parameter. Attackers can exploit this to execute arbitrary SQL commands and extract sensitive data from the database. All WordPress sites using Dokan Pro version 3.10.3 or earlier are affected.

📋 TL;DR

The Dokan Pro WordPress plugin contains an unauthenticated SQL injection vulnerability in the 'code' parameter. Attackers can exploit this to execute arbitrary SQL commands and extract sensitive data from the database. All WordPress sites using Dokan Pro version 3.10.3 or earlier are affected.

💻 Affected Systems

Products:

Dokan Pro WordPress Plugin

Versions: All versions up to and including 3.10.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations using vulnerable Dokan Pro versions regardless of configuration.

📦 What is this software?

Dokan by Dokan

View all CVEs affecting Dokan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including user credentials, payment information, and sensitive business data, potentially leading to full site takeover.

🟠

Likely Case

Data exfiltration of user information, plugin settings, and potentially WordPress configuration details.

🟢

If Mitigated

Limited impact if database permissions are restricted and web application firewall blocks SQL injection patterns.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes this easily accessible to any internet user.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but external threat is more significant.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via GET/POST parameters requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.10.4 or later

Vendor Advisory: https://dokan.co/docs/wordpress/changelog/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Dokan Pro and click 'Update Now'. 4. Verify version is 3.10.4 or higher.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block SQL injection patterns targeting the 'code' parameter

Temporary Plugin Deactivation

linux

Disable Dokan Pro plugin until patched

wp plugin deactivate dokan-pro

🧯 If You Can't Patch

Implement strict input validation for all 'code' parameter inputs
Restrict database user permissions to SELECT only where possible

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Dokan Pro version number

Check Version:

wp plugin list --name=dokan-pro --field=version

Verify Fix Applied:

Confirm Dokan Pro version is 3.10.4 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple requests with 'code' parameter containing SQL keywords

Network Indicators:

HTTP requests with SQL injection payloads in 'code' parameter

SIEM Query:

web_access_logs WHERE url_query CONTAINS 'code=' AND (url_query CONTAINS 'UNION' OR url_query CONTAINS 'SELECT' OR url_query CONTAINS 'OR 1=1')

📊 Metadata

CVE ID: CVE-2024-3922

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-89

Published: June 13, 2024

Last Updated: February 25, 2026

🔗 References

https://dokan.co/docs/wordpress/changelog/ Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/d9de41de-f2f7-4b16-8ec9-d30bbd3d8786?source=cve Third Party Advisory
https://dokan.co/docs/wordpress/changelog/ Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/d9de41de-f2f7-4b16-8ec9-d30bbd3d8786?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3922, you might also want to check these: