CVE-2025-14977 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2025-14977?

CVE-2025-14977 has a CVSS score of 8.1 (HIGH). This vulnerability allows authenticated attackers with customer-level permissions or higher to access and modify other vendors' store settings in the Dokan WordPress plugin. Attackers can read sensitive payment information like PayPal emails, bank details, and addresses, and can redirect payouts to attacker-controlled accounts, enabling financial theft. All WordPress sites using vulnerable versions of the Dokan plugin are affected.

📋 TL;DR

This vulnerability allows authenticated attackers with customer-level permissions or higher to access and modify other vendors' store settings in the Dokan WordPress plugin. Attackers can read sensitive payment information like PayPal emails, bank details, and addresses, and can redirect payouts to attacker-controlled accounts, enabling financial theft. All WordPress sites using vulnerable versions of the Dokan plugin are affected.

💻 Affected Systems

Products:

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress

Versions: Up to and including version 4.2.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Dokan plugin enabled and at least one user with customer-level permissions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass financial theft through redirected vendor payouts, exposure of sensitive banking information, and potential regulatory compliance violations.

🟠

Likely Case

Targeted attackers compromise individual vendors' payment information and redirect payouts, causing financial loss and data breach.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place to detect unauthorized API calls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward via REST API calls with manipulated parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.5 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432750%40dokan-lite%2Ftrunk&old=3427612%40dokan-lite%2Ftrunk&sfp_email=&sfph_mail=#file7

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Dokan plugin and click 'Update Now'. 4. Verify version is 4.2.5 or higher.

🔧 Temporary Workarounds

Disable vulnerable REST endpoint

all

Temporarily disable the /wp-json/dokan/v1/settings endpoint via WordPress filter

Add to theme's functions.php or custom plugin: add_filter('rest_endpoints', function($endpoints){ unset($endpoints['/wp-json/dokan/v1/settings']); return $endpoints; });

Restrict API access

all

Use web application firewall to block unauthorized access to the vulnerable endpoint

WAF rule: Block POST/PUT requests to /wp-json/dokan/v1/settings from non-admin users

🧯 If You Can't Patch

Implement strict access controls and monitor all API calls to the /wp-json/dokan/v1/settings endpoint
Disable the Dokan plugin entirely until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Dokan version. If version is 4.2.4 or lower, system is vulnerable.

Check Version:

wp plugin list --name=dokan --field=version (if WP-CLI installed) or check WordPress admin panel

Verify Fix Applied:

After update, verify Dokan plugin version shows 4.2.5 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Multiple failed or successful POST/PUT requests to /wp-json/dokan/v1/settings from same user
Unusual vendor setting modifications in Dokan logs

Network Indicators:

HTTP 200 responses from POST/PUT to /wp-json/dokan/v1/settings with vendor ID parameter manipulation

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-json/dokan/v1/settings" AND (http_method="POST" OR http_method="PUT")) | stats count by src_ip, user_agent

📊 Metadata

CVE ID: CVE-2025-14977

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-284

EPSS Score: 0.03% exploit probability (7.2th percentile)

Published: January 20, 2026

Last Updated: January 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14977, you might also want to check these: